GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
5,695 advisories
Filter by severity
Apple App Store Server Python Library: SignedDataVerifier accepts stale OCSP GOOD responses and can bypass certificate revocation checks
Moderate
GHSA-8f6j-263m-g72x
was published
for
app-store-server-library
(pip)
Jul 13, 2026
json_repair: Circular JSON Schema `$ref` causes unbounded CPU DoS
High
GHSA-xf7x-x43h-rpqh
was published
for
json-repair
(pip)
Jul 13, 2026
DIRAC: SQL injection and lack of access control in PilotManager service
High
GHSA-7xw9-549r-8jrc
was published
for
DIRAC
(pip)
Jul 13, 2026
DIRAC: Pilot code downloaded over unverified HTTPS connection
High
CVE-2026-61668
was published
for
DIRAC
(pip)
Jul 13, 2026
DIRAC is vulnerable to RCE in FileCatalog DatasetManager via SQL injection + eval
Critical
CVE-2026-61667
was published
for
DIRAC
(pip)
Jul 13, 2026
DIRAC is vulnerable to RCE in RequestManager due to eval on untrusted input
Critical
CVE-2026-45579
was published
for
DIRAC
(pip)
Jul 13, 2026
GeoNode: Stored XSS to full account takeover
Moderate
CVE-2024-27091
was published
for
geonode
(pip)
Jul 13, 2026
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset
High
GHSA-h4g2-xfmw-q2c9
was published
for
clauster
(pip)
Jul 10, 2026
mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment
High
GHSA-g5r6-gv6m-f5jv
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
mcp-atlassian: Arbitrary server-side file read via attachment upload
High
GHSA-wm45-qh3g-v83f
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py
High
CVE-2026-54071
was published
for
BabelDOC
(pip)
Jul 10, 2026
CredSweeper: Recursive archive size-limit bypass in deep scanner allows crafted compressed inputs to exhaust resources
Moderate
GHSA-9mqm-qcwf-5qhg
was published
for
credsweeper
(pip)
Jul 10, 2026
MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826)
Moderate
GHSA-489g-7rxv-6c8q
was published
for
mcp-atlassian
(pip)
Jul 10, 2026
Mistune: Potential DoS via quadratic-time parsing in parse_link_text
High
CVE-2026-49851
was published
for
mistune
(pip)
Jul 9, 2026
psd-tools vulnerable to arbitrary file write via smart-object filename
Moderate
CVE-2026-49836
was published
for
psd-tools
(pip)
Jul 9, 2026
Rattler vulnerable to package cache path traversal via conda package build string
Moderate
CVE-2026-53956
was published
for
py_rattler
(pip)
Jul 9, 2026
pypdf: Possible infinite loop when processing threads/articles in writer
Moderate
CVE-2026-54651
was published
for
pypdf
(pip)
Jul 9, 2026
pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small
Moderate
CVE-2026-53720
was published
for
pymonocypher
(pip)
Jul 9, 2026
Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser
High
CVE-2026-49477
was published
for
soupsieve
(pip)
Jul 9, 2026
Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists
High
CVE-2026-49476
was published
for
soupsieve
(pip)
Jul 9, 2026
Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths
High
GHSA-52vm-mxx8-f227
was published
for
phantom-audio
(pip)
Jul 9, 2026
pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager
Moderate
CVE-2026-48987
was published
for
pyload-ng
(pip)
Jul 9, 2026
pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs
Moderate
CVE-2026-48737
was published
for
pyload-ng
(pip)
Jul 9, 2026
Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE
High
CVE-2026-49471
was published
for
serena-agent
(pip)
Jul 8, 2026
Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler
Moderate
GHSA-mxwc-wh95-pw4g
was published
for
trapster
(pip)
Jul 8, 2026
ProTip!
Advisories are also available from the
GraphQL API