Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

5,554 advisories

Loading
Open Babel has heap buffer overflow in SMILES OBSmilesParser::ParseSmiles High
CVE-2025-10996 was published for openbabel (pip) Jun 30, 2026
Open Babel has Use-after-free in GAMESS GAMESSOutputFormat::ReadMolecule Low
CVE-2025-10994 was published for openbabel (pip) Jun 30, 2026
Open Babel has a NULL pointer dereference in CDXML OBAtom::GetExplicitValence Low
CVE-2026-3408 was published for openbabel (pip) Jun 30, 2026
VedantMadane Credited to VedantMadane
Open Babel has NULL pointer dereference in MOL2 OBAtom::SetFormalCharge Low
CVE-2026-2705 was published for openbabel (pip) Jun 30, 2026
VedantMadane Credited to VedantMadane
Open Babel has an out-of-bounds read in CIF transform3d::DescribeAsString Low
CVE-2026-2704 was published for openbabel (pip) Jun 30, 2026
VedantMadane Credited to VedantMadane
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind Critical
CVE-2026-49257 was published for mcp-pinot-server (pip) Jun 26, 2026
raysabee Credited to raysabee and PeledTomer1 PeledTomer1 PeledTomer1
mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call High
CVE-2026-49291 was published for mcp-memory-service (pip) Jun 26, 2026
DavidCarliez Credited to DavidCarliez
Dosage Vulnerable to Stored Cross-Site Scripting (XSS) in HTML/RSS Output Handlers Moderate
GHSA-75mw-h36v-2jv7 was published for dosage (pip) Jun 26, 2026
yueyueL Credited to yueyueL
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization Moderate
CVE-2026-48990 was published for joserfc (pip) Jun 26, 2026
0xHunSec Credited to 0xHunSec
Flawfinder output manipulation via untrusted filenames and source text Low
CVE-2026-48813 was published for flawfinder (pip) Jun 26, 2026
python-socketio: Binary attachment accumulation can cause denial of service High
CVE-2026-48804 was published for python-socketio (pip) Jun 26, 2026
mauriceng98 Credited to mauriceng98
python-engineio has unbound thread allocation that can cause denial of service High
CVE-2026-48802 was published for python-engineio (pip) Jun 26, 2026
mauriceng98 Credited to mauriceng98
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin Critical
GHSA-98x5-vq43-vc5p was published for semantic-router (pip) Jun 26, 2026
jamescalam Credited to jamescalam
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced High
CVE-2026-48809 was published for python-engineio (pip) Jun 26, 2026
nono-py's policy JSON accepts unknown security fields Moderate
GHSA-m8j6-rc5x-wv36 was published for nono-py (pip) Jun 26, 2026
nono-py vulnerable to authorization bypass / policy confusion Moderate
GHSA-9j7f-3r4p-pwh6 was published for nono-py (pip) Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication Critical
CVE-2026-48797 was published for @mcptoolshop/backpropagate (npm) Jun 26, 2026
nono-py has proxy-only network fallback bypass on older Linux kernels Moderate
GHSA-72w7-mf9g-733p was published for nono-py (pip) Jun 26, 2026
lukehinds Credited to lukehinds
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise Critical
CVE-2026-55166 was published for lemur (pip) Jun 25, 2026
im-rootkid Credited to im-rootkid
Lemur: JWT verifier honors attacker-supplied alg, enabling ATO Moderate
CVE-2026-55165 was published for lemur (pip) Jun 25, 2026
im-rootkid Credited to im-rootkid
Lemur user-update path stores plaintext passwords Moderate
CVE-2026-55164 was published for lemur (pip) Jun 25, 2026
sour-exploit Credited to sour-exploit
sour-exploit Credited to sour-exploit
Lemur: Crafted CRL/OCSP URLs in uploaded certificates lead to post-authentication SSRF Moderate
CVE-2026-55162 was published for lemur (pip) Jun 25, 2026
sour-exploit Credited to sour-exploit
ProTip! Advisories are also available from the GraphQL API