Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

5,554 advisories

Loading
Faze-up Credited to Faze-up
LangSmith SDK TracingMiddleware: Arbitrary server-side file read High
GHSA-f4xh-w4cj-qxq8 was published for langsmith (pip) Jun 19, 2026
Ryu7zz Credited to Ryu7zz
Zeep: Server-Side Request Forgery (SSRF) Moderate
GHSA-4cc2-g9w2-fhf6 was published for zeep (pip) Jun 19, 2026
Anki: User scripts in iframes have access to the internal Anki API Moderate
GHSA-cw6h-ffmh-x6vh was published for aqt (pip) Jun 19, 2026
Bankde Credited to Bankde
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer Moderate
GHSA-wvrh-2f4m-924v was published for ChatterBot (pip) Jun 19, 2026
AAtomical Credited to AAtomical
EverOS: Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id High
GHSA-c795-2g9c-j48m was published for everos (pip) Jun 19, 2026
geo-chen Credited to geo-chen
stigmem-node: decay sweep expires and counts facts across all tenants (cross-tenant BOLA) High
GHSA-6gqw-jqv7-v88m was published for stigmem-node (pip) Jun 19, 2026
stigmem-node: RTBF tombstones are mis-attributed and suppress reads tenant-blind (cross-tenant BOLA) High
GHSA-x26h-xmv8-gxf7 was published for stigmem-node (pip) Jun 19, 2026
MessagePack for Python: Out-of-bounds read / crash on Unpacker reuse after a caught error High
GHSA-6v7p-g79w-8964 was published for msgpack (pip) Jun 19, 2026
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit Critical
CVE-2026-55447 was published for langflow (pip) Jun 19, 2026
vbCrLf Credited to vbCrLf, AntonioABLima, andifilhohub, erichare, and Adam-Aghili AntonioABLima AntonioABLima
andifilhohub andifilhohub erichare erichare Adam-Aghili Adam-Aghili
Langflow: Unauthenticated DoS through multipart form boundary file upload High
CVE-2026-55446 was published for langflow (pip) Jun 19, 2026
ethansilvas Credited to ethansilvas, AntonioABLima, and andifilhohub AntonioABLima AntonioABLima
andifilhohub andifilhohub
Langflow: Logout button does not clear session Moderate
CVE-2026-55423 was published for langflow (pip) Jun 19, 2026
iann0036 Credited to iann0036, Cristhianzl, AntonioABLima, and andifilhohub Cristhianzl Cristhianzl
AntonioABLima AntonioABLima andifilhohub andifilhohub
yzeirnials Credited to yzeirnials, andifilhohub, LeftenantZero, Zwique, AntonioABLima, erichare, and Adam-Aghili andifilhohub andifilhohub
LeftenantZero LeftenantZero Zwique Zwique AntonioABLima AntonioABLima erichare erichare Adam-Aghili Adam-Aghili
py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read() Moderate
CVE-2026-55206 was published for py7zr (pip) Jun 19, 2026
0xHunSec Credited to 0xHunSec
py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size Moderate
CVE-2026-55195 was published for py7zr (pip) Jun 19, 2026
BudongJW Credited to BudongJW
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files High
GHSA-rpj2-4hq8-938g was published for vcrpy (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens Moderate
CVE-2026-55837 was published for dbt-mcp (pip) Jun 19, 2026
EQSTLab Credited to EQSTLab
Ultimate Sitemap Parser (USP): XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser High
GHSA-p5wc-9w9r-m232 was published for ultimate-sitemap-parser (pip) Jun 19, 2026
Ultimate Sitemap Parser (USP): Gzip Decompression Bomb Bypasses Sitemap Size Limit High
GHSA-8823-qg2x-pv9f was published for ultimate-sitemap-parser (pip) Jun 19, 2026
EQSTLab Credited to EQSTLab
UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps() Moderate
CVE-2026-54911 was published for ujson (pip) Jun 19, 2026
Zwique Credited to Zwique, bwoodsend, and hugovk bwoodsend bwoodsend
hugovk hugovk
Python Liquid: Infinite loop when parsing malformed `{% case %}` tags Moderate
CVE-2026-55865 was published for python-liquid (pip) Jun 19, 2026
Nuhiat-Arefin Credited to Nuhiat-Arefin
jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories High
CVE-2026-54528 was published for jupyterlab-git (pip) Jun 19, 2026
AAtomical Credited to AAtomical, Yann-P, and jtpio Yann-P Yann-P
jtpio jtpio
jupyterlab-git extension: Stored XSS leading to RCE High
CVE-2026-54527 was published for @jupyterlab/git (npm) Jun 19, 2026
krassowski Credited to krassowski and jtpio jtpio jtpio
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders High
CVE-2026-54499 was published for stanza (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai
ProTip! Advisories are also available from the GraphQL API