GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
480 advisories
Filter by severity
Open Babel has out-of-bounds write (overlapping memcpy) in zipstream basic_unzip_streambuf::underflow
Low
CVE-2025-10995
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has Use-after-free in GAMESS GAMESSOutputFormat::ReadMolecule
Low
CVE-2025-10994
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has a NULL pointer dereference in CDXML OBAtom::GetExplicitValence
Low
CVE-2026-3408
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has NULL pointer dereference in MOL2 OBAtom::SetFormalCharge
Low
CVE-2026-2705
was published
for
openbabel
(pip)
Jun 30, 2026
Open Babel has an out-of-bounds read in CIF transform3d::DescribeAsString
Low
CVE-2026-2704
was published
for
openbabel
(pip)
Jun 30, 2026
Flawfinder output manipulation via untrusted filenames and source text
Low
CVE-2026-48813
was published
for
flawfinder
(pip)
Jun 26, 2026
PGHoard: Password written to debug log
Low
CVE-2026-54711
was published
for
pghoard
(pip)
Jun 18, 2026
BBOT: Symlink-Following Arbitrary Write via github_workflows Module
Low
CVE-2026-12567
was published
for
bbot
(pip)
Jun 18, 2026
BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing
Low
CVE-2026-12566
was published
for
bbot
(pip)
Jun 18, 2026
Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output
Low
GHSA-8rfp-98v4-mmr6
was published
for
bleach
(pip)
Jun 16, 2026
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
Low
CVE-2026-54282
was published
for
Starlette
(pip)
Jun 15, 2026
python-multipart: Negative Content-Length in parse_form buffers the entire body in memory
Low
CVE-2026-53540
was published
for
python-multipart
(pip)
Jun 15, 2026
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling
Low
CVE-2026-53538
was published
for
python-multipart
(pip)
Jun 15, 2026
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Low
CVE-2026-53537
was published
for
python-multipart
(pip)
Jun 15, 2026
aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
Low
CVE-2026-54275
was published
for
aiohttp
(pip)
Jun 15, 2026
aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect
Low
CVE-2026-54280
was published
for
aiohttp
(pip)
Jun 15, 2026
aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
Low
CVE-2026-54279
was published
for
aiohttp
(pip)
Jun 15, 2026
aiohttp: CRLF injection in multipart headers
Low
CVE-2026-50269
was published
for
aiohttp
(pip)
Jun 15, 2026
PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)
Low
CVE-2026-48524
was published
for
pyjwt
(pip)
Jun 15, 2026
Tornado has out-of-bounds memory access via C extension
Low
CVE-2026-49854
was published
for
tornado
(pip)
Jun 12, 2026
Dulwich doesn't sanitize commit subjects in `porcelain.format_patch`
Low
CVE-2026-47712
was published
for
dulwich
(pip)
Jun 8, 2026
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known
Low
CVE-2026-47716
was published
for
bugsink
(pip)
Jun 5, 2026
Bugsink: Issue event views can show an event from another project if its UUID is known
Low
CVE-2026-47715
was published
for
bugsink
(pip)
Jun 5, 2026
Vantage6: No limit on emails sent for password/MFA reset
Low
CVE-2024-24769
was published
for
vantage6
(pip)
Jun 5, 2026
kas's late signature validation may allow unnoticed repository manipulations
Low
CVE-2026-47192
was published
for
kas
(pip)
Jun 4, 2026
ProTip!
Advisories are also available from the
GraphQL API