Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

4,831 advisories

Loading
Weblate: Privilege escalation in the user API endpoint High
CVE-2026-34393 was published for weblate (pip) Apr 16, 2026
tikket1 Credited to tikket1, nijel, and DavidCarliez nijel nijel
DavidCarliez DavidCarliez
Weblate: SSRF via Project-Level Machinery Configuration Moderate
CVE-2026-34244 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez, nijel, and amCap1712 nijel nijel
amCap1712 amCap1712
Weblate: Arbitrary File Read via Symlink High
CVE-2026-34242 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez
Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads Moderate
CVE-2026-33440 was published for weblate (pip) Apr 16, 2026
spbavarva Credited to spbavarva and nijel nijel nijel
Weblate: Remote code execution during backup restoration High
CVE-2026-33435 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and amCap1712 amCap1712 amCap1712
Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository Moderate
CVE-2026-33220 was published for weblate (pip) Apr 16, 2026
spbavarva Credited to spbavarva and nijel nijel nijel
Weblate: Improper access control for the translation memory in API Moderate
CVE-2026-33214 was published for weblate (pip) Apr 16, 2026
Weblate: Improper access control for pending tasks in API Low
CVE-2026-33212 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel
Apache Airflow: JWT token appearing in logs Moderate
CVE-2026-31987 was published for apache-airflow (pip) Apr 16, 2026
Apache Airflow: RCE by race condition in example_xcom dag High
CVE-2025-54550 was published for apache-airflow (pip) Apr 16, 2026
wger has Stored XSS via Unescaped License Attribution Fields Moderate
CVE-2026-40353 was published for wger (pip) Apr 16, 2026
0xkakash1 Credited to 0xkakash1
wger has Broken Access Control in Global Gym Configuration Update Endpoint High
CVE-2026-40474 was published for wger (pip) Apr 16, 2026
VashuVats Credited to VashuVats
UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen Critical
GHSA-hm2w-vr2p-hq7w was published for uefi-firmware (pip) Apr 16, 2026
1seal Credited to 1seal
UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable Critical
GHSA-2689-5p89-6j3j was published for uefi-firmware (pip) Apr 16, 2026
1seal Credited to 1seal
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) Moderate
CVE-2026-40594 was published for pyload-ng (pip) Apr 16, 2026
offset Credited to offset
LangSmith SDK: Streaming token events bypass output redaction Moderate
CVE-2026-41182 was published for langsmith (npm) Apr 16, 2026
Ryu7zz Credited to Ryu7zz
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code Moderate
CVE-2026-41206 was published for pyspector (pip) Apr 16, 2026
fg0x0 Credited to fg0x0
python-multipart affected by Denial of Service via large multipart preamble or epilogue data Moderate
CVE-2026-40347 was published for python-multipart (pip) Apr 15, 2026
HamdaanAliQuatil Credited to HamdaanAliQuatil and defnull defnull defnull
pypdf has long runtimes for wrong size values in cross-reference and object streams Moderate
CVE-2026-41168 was published for pypdf (pip) Apr 15, 2026
alpakalee Credited to alpakalee and stefan6419846 stefan6419846 stefan6419846
Upsonic: remote code execution vulnerability in its MCP server/task creation functionality Critical
CVE-2026-30625 was published for upsonic (pip) Apr 15, 2026
Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access Moderate
CVE-2026-25219 was published for apache-airflow (pip) Apr 15, 2026
pyLoad's Session Not Invalidated After Permission Changes Low
GHSA-fj52-5g4h-gmq8 was published for pyload-ng (pip) Apr 14, 2026
PinkDraconian Credited to PinkDraconian
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) High
CVE-2026-41133 was published for pyload-ng (pip) Apr 14, 2026
komi22 Credited to komi22
Giskard has Unsandboxed Jinja2 Template Rendering in ConformityCheck Moderate
CVE-2026-40320 was published for giskard-checks (pip) Apr 14, 2026
dhabaleshwar Credited to dhabaleshwar
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check Low
CVE-2026-40319 was published for giskard-checks (pip) Apr 14, 2026
dhabaleshwar Credited to dhabaleshwar
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database