Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,413
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,656
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

4,656 advisories

Loading
PraisonAI Has Path Traversal in FileTools Critical
CVE-2026-35615 was published for PraisonAI (pip) Apr 6, 2026
kritsana-chaikaew Credited to kritsana-chaikaew
PraisonAI recipe registry publish path traversal allows out-of-root file write High
CVE-2026-39308 was published for PraisonAI (pip) Apr 6, 2026
R1ZZG0D Credited to R1ZZG0D
PraisonAI recipe registry pull path traversal writes files outside the chosen output directory High
CVE-2026-39306 was published for PraisonAI (pip) Apr 6, 2026
R1ZZG0D Credited to R1ZZG0D
PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator Critical
CVE-2026-39305 was published for PraisonAI (pip) Apr 6, 2026
liyander Credited to liyander
PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction High
CVE-2026-39307 was published for PraisonAI (pip) Apr 6, 2026
liyander Credited to liyander
strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions High
CVE-2026-35526 was published for strawberry-graphql (pip) Apr 6, 2026
JFOZ1010 Credited to JFOZ1010, patrick91, and bellini666 patrick91 patrick91
bellini666 bellini666
strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol High
CVE-2026-35523 was published for strawberry-graphql (pip) Apr 6, 2026
bellini666 Credited to bellini666, patrick91, katzj, and WesR patrick91 patrick91
katzj katzj WesR WesR
changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering Critical
CVE-2026-35490 was published for changedetection.io (pip) Apr 6, 2026
axel-corsiez Credited to axel-corsiez
kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write Moderate
CVE-2026-35492 was published for kedro-datasets (pip) Apr 6, 2026
redyank Credited to redyank
OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp Moderate
CVE-2026-26981 was published for OpenEXR (pip) Apr 6, 2026
JungWooJJING Credited to JungWooJJING
OpenEXR has use after free in PyObject_StealAttrString Moderate
CVE-2025-64183 was published for OpenEXR (pip) Apr 6, 2026
MegaManSec Credited to MegaManSec
OpenEXR has buffer overflow in PyOpenEXR_old's channels() and channel() Moderate
CVE-2025-64182 was published for OpenEXR (pip) Apr 6, 2026
MegaManSec Credited to MegaManSec
OpenEXR Makes Use of Uninitialized Memory Low
CVE-2025-64181 was published for OpenEXR (pip) Apr 6, 2026
Kaldreic Credited to Kaldreic
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) High
CVE-2026-35464 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
pyLoad: Improper Neutralization of Special Elements used in an OS Command High
CVE-2026-35463 was published for pyload-ng (pip) Apr 4, 2026
axel-corsiez Credited to axel-corsiez
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992) Critical
CVE-2026-35459 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling Moderate
GHSA-5hr4-253g-cpx2 was published for web3 (pip) Apr 4, 2026
Nadav0077 Credited to Nadav0077
LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass High
CVE-2026-30762 was published for lightrag-hku (pip) Apr 4, 2026
Venkatatadu Credited to Venkatatadu
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter High
CVE-2026-35187 was published for pyload-ng (pip) Apr 4, 2026
morimori-dev Credited to morimori-dev
BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation High
CVE-2026-35044 was published for bentoml (pip) Apr 3, 2026
offset Credited to offset
BentoML: Command Injection in cloud deployment setup script High
CVE-2026-35043 was published for bentoml (pip) Apr 3, 2026
kodareef5 Credited to kodareef5
LiteLLM: Authentication bypass via OIDC userinfo cache key collision Critical
CVE-2026-35030 was published for litellm (pip) Apr 3, 2026
veria-labs Credited to veria-labs
LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint High
CVE-2026-35029 was published for litellm (pip) Apr 3, 2026
Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service High
CVE-2026-34824 was published for mesop (pip) Apr 3, 2026
tubadeligoz Credited to tubadeligoz
vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing Moderate
CVE-2026-34755 was published for vllm (pip) Apr 3, 2026
SEORY0 Credited to SEORY0, russellb, jperezdealgaba, DarkLight1337, and Isotr0py russellb russellb
jperezdealgaba jperezdealgaba DarkLight1337 DarkLight1337 Isotr0py Isotr0py
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database