Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,365
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,561
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

4,561 advisories

Loading
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability Critical
CVE-2026-32871 was published for fastmcp (pip) Mar 31, 2026
Pr00fOf3xpl0it Credited to Pr00fOf3xpl0it
SciTokens has an Authorization Bypass via Path Traversal in Scope Validation High
CVE-2026-32727 was published for scitokens (pip) Mar 31, 2026
pmcao Credited to pmcao and djw8605 djw8605 djw8605
SciTokens has an Authorization Bypass via Incorrect Scope Path Prefix Checking High
CVE-2026-32716 was published for scitokens (pip) Mar 31, 2026
pmcao Credited to pmcao and djw8605 djw8605 djw8605
SciTokens is vulnerable to SQL Injection in KeyCache Critical
CVE-2026-32714 was published for scitokens (pip) Mar 31, 2026
pmcao Credited to pmcao and djw8605 djw8605 djw8605
onnx Vulnerable to Path Traversal via Symlink High
CVE-2026-27489 was published for onnx (pip) Mar 31, 2026
pi3ch Credited to pi3ch
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities High
CVE-2026-27124 was published for fastmcp (pip) Mar 31, 2026
an7y Credited to an7y
FastMCP has a Command Injection vulnerability - Gemini CLI Moderate
CVE-2025-64340 was published for fastmcp (pip) Mar 31, 2026
nil340 Credited to nil340
Telnyx has malicious code in PyPI versions 4.87.1 and 4.87.2 Critical
GHSA-955r-262c-33jc was published for telnyx (pip) Mar 30, 2026
Slippers Vulnerable to Cross-Site Scripting (XSS) in `attrs` Template Tag Moderate
CVE-2026-34231 was published for slippers (pip) Mar 30, 2026
evansd Credited to evansd
Glances Vulnerable to Command Injection via Dynamic Configuration Values High
CVE-2026-33641 was published for Glances (pip) Mar 30, 2026
mith36 Credited to mith36
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard High
CVE-2026-33533 was published for Glances (pip) Mar 30, 2026
tanishqshah2 Credited to tanishqshah2
OpenCC has an Out-of-bounds read when processing truncated UTF-8 input Moderate
GHSA-7fqq-q52p-2jjg was published for OpenCC (npm) Mar 29, 2026
Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment High
CVE-2026-34172 was published for giskard-agents (pip) Mar 27, 2026
kodareef5 Credited to kodareef5
Home Assistant has stored XSS in history-graphs Low
CVE-2026-33045 was published for homeassistant (pip) Mar 27, 2026
pwnpanda Credited to pwnpanda
Home Assistant has stored XSS in Map-card through malicious device name Low
CVE-2026-33044 was published for homeassistant (pip) Mar 27, 2026
pwnpanda Credited to pwnpanda
cryptography has incomplete DNS name constraint enforcement on peer names Low
CVE-2026-34073 was published for cryptography (pip) Mar 27, 2026
1seal Credited to 1seal and woodruffw woodruffw woodruffw
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions High
CVE-2026-34070 was published for langchain-core (pip) Mar 27, 2026
jiayuqi7813 Credited to jiayuqi7813, VladimirEliTokarev, Rickidevs, and kennethkcox VladimirEliTokarev VladimirEliTokarev
Rickidevs Rickidevs kennethkcox kennethkcox
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check High
CVE-2026-34046 was published for langflow (pip) Mar 27, 2026
chximn-dt Credited to chximn-dt and AntonioABLima AntonioABLima AntonioABLima
Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters High
CVE-2026-33981 was published for changedetection.io (pip) Mar 27, 2026
sajdakabir Credited to sajdakabir and zerotrail-ai zerotrail-ai zerotrail-ai
Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries High
CVE-2026-33980 was published for adx-mcp-server (pip) Mar 27, 2026
romain-deperne Credited to romain-deperne
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration Critical
CVE-2026-33992 was published for pyload-ng (pip) Mar 27, 2026
DhiyaneshGeek Credited to DhiyaneshGeek
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys Moderate
CVE-2026-33936 was published for ecdsa (pip) Mar 27, 2026
0xmrma Credited to 0xmrma
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories Low
CVE-2026-29071 was published for open-webui (pip) Mar 27, 2026
MariuszMaik Credited to MariuszMaik
Open WebUI has unauthorized deletion of knowledge files Moderate
CVE-2026-29070 was published for open-webui (pip) Mar 27, 2026
ScaumAcktiv Credited to ScaumAcktiv
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite High
CVE-2026-28788 was published for open-webui (pip) Mar 27, 2026
Inar1Dev Credited to Inar1Dev
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database