GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
5,554 advisories
Filter by severity
Open Babel has heap buffer overflow in SMILES OBSmilesParser::ParseSmiles
High
CVE-2025-10996
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has out-of-bounds write (overlapping memcpy) in zipstream basic_unzip_streambuf::underflow
Low
CVE-2025-10995
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has Use-after-free in GAMESS GAMESSOutputFormat::ReadMolecule
Low
CVE-2025-10994
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has a NULL pointer dereference in CDXML OBAtom::GetExplicitValence
Low
CVE-2026-3408
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has NULL pointer dereference in MOL2 OBAtom::SetFormalCharge
Low
CVE-2026-2705
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has an out-of-bounds read in CIF transform3d::DescribeAsString
Low
CVE-2026-2704
was published
for
openbabel
(pip)
Jun 30, 2026
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Critical
CVE-2026-49257
was published
for
mcp-pinot-server
(pip)
Jun 26, 2026
mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call
High
CVE-2026-49291
was published
for
mcp-memory-service
(pip)
Jun 26, 2026
Dosage Vulnerable to Stored Cross-Site Scripting (XSS) in HTML/RSS Output Handlers
Moderate
GHSA-75mw-h36v-2jv7
was published
for
dosage
(pip)
Jun 26, 2026
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
Moderate
CVE-2026-48990
was published
for
joserfc
(pip)
Jun 26, 2026
Flawfinder output manipulation via untrusted filenames and source text
Low
CVE-2026-48813
was published
for
flawfinder
(pip)
Jun 26, 2026
python-socketio: Binary attachment accumulation can cause denial of service
High
CVE-2026-48804
was published
for
python-socketio
(pip)
Jun 26, 2026
python-engineio has unbound thread allocation that can cause denial of service
High
CVE-2026-48802
was published
for
python-engineio
(pip)
Jun 26, 2026
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin
Critical
GHSA-98x5-vq43-vc5p
was published
for
semantic-router
(pip)
Jun 26, 2026
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced
High
CVE-2026-48809
was published
for
python-engineio
(pip)
Jun 26, 2026
nono-py's policy JSON accepts unknown security fields
Moderate
GHSA-m8j6-rc5x-wv36
was published
for
nono-py
(pip)
Jun 26, 2026
nono-py vulnerable to authorization bypass / policy confusion
Moderate
GHSA-9j7f-3r4p-pwh6
was published
for
nono-py
(pip)
Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Critical
CVE-2026-48797
was published
for
@mcptoolshop/backpropagate
(npm)
Jun 26, 2026
nono-py has proxy-only network fallback bypass on older Linux kernels
Moderate
GHSA-72w7-mf9g-733p
was published
for
nono-py
(pip)
Jun 26, 2026
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
Moderate
CVE-2026-48782
was published
for
pydantic-ai
(pip)
Jun 26, 2026
Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise
Critical
CVE-2026-55166
was published
for
lemur
(pip)
Jun 25, 2026
Lemur: JWT verifier honors attacker-supplied alg, enabling ATO
Moderate
CVE-2026-55165
was published
for
lemur
(pip)
Jun 25, 2026
Lemur user-update path stores plaintext passwords
Moderate
CVE-2026-55164
was published
for
lemur
(pip)
Jun 25, 2026
Lemur Privilege Escalation: Non-admin role members can rewrite role membership via PUT /api/1/roles/<id>
Moderate
CVE-2026-55163
was published
for
lemur
(pip)
Jun 25, 2026
Lemur: Crafted CRL/OCSP URLs in uploaded certificates lead to post-authentication SSRF
Moderate
CVE-2026-55162
was published
for
lemur
(pip)
Jun 25, 2026
ProTip!
Advisories are also available from the
GraphQL API