Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

648 advisories

Loading
imgaug contains an insecure deserialization vulnerability in BackgroundAugmenter class within multicore.py module Critical
CVE-2026-31235 was published for imgaug (pip) May 12, 2026
llm CLI tool contains a code injection vulnerability via `--functions` command-line argument Critical
CVE-2026-31236 was published for llm (pip) May 12, 2026
Ludwig framework is vulnerable to insecure deserialization through its predict() method. Critical
CVE-2026-31237 was published for ludwig (pip) May 12, 2026
Ludwig framework is vulnerable to insecure deserialization in its model serving component Critical
CVE-2026-31238 was published for ludwig (pip) May 12, 2026
mamba language model framework vulnerable to insecure deserialization when loading pre-trained models from HuggingFace Hub Critical
CVE-2026-31239 was published for mamba-ssm (pip) May 12, 2026
Guardrails AI contains a code injection vulnerability in its Hub package installation mechanism Critical
CVE-2026-31233 was published for guardrails-ai (pip) May 12, 2026
Horovod contains an insecure deserialization vulnerability in its KVStore HTTP server component Critical
CVE-2026-31234 was published for horovod (pip) May 12, 2026
Langroid has Prompt to SQL Injection, Leading to RCE Critical
CVE-2026-25879 was published for langroid (pip) May 27, 2026
Ka7arotto Credited to Ka7arotto
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host Critical
CVE-2026-46703 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
BoxLite: Permission Bypass Allows Modification of Read-Only Files Critical
CVE-2026-46695 was published for @boxlite-ai/boxlite (Go) May 21, 2026
XlabAITeam Credited to XlabAITeam
Mlflow: Command Injection when serving models with enable_mlserver=True Critical
CVE-2026-0596 was published for mlflow (pip) Mar 31, 2026
ConnorCallison Credited to ConnorCallison and rotemd-apiiro rotemd-apiiro rotemd-apiiro
SaltStack Salt Directory traversal vulnerability in minion id validation Critical
CVE-2017-12791 was published for salt (pip) May 17, 2022
Malicious code in guardrails-ai 0.10.1 (supply chain compromise) Critical
CVE-2026-45758 was published for guardrails-ai (pip) May 19, 2026
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths Critical
CVE-2026-45568 was published for zrok (pip) May 19, 2026
aisafe-bot Credited to aisafe-bot
PySyft server-side arbitrary Python execution after code approval Critical
CVE-2026-31220 was published for syft (pip) May 12, 2026
Malicious dropper in mistralai 2.4.6 PyPI package Critical
GHSA-wx9m-wx4f-4cmg was published for mistralai (pip) May 18, 2026
nullcharb Credited to nullcharb
pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules Critical
CVE-2026-7813 was published for pgadmin4 (pip) May 11, 2026
Open WebUI has an LDAP Empty Password Authentication Bypass Critical
CVE-2026-44551 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol Critical
CVE-2026-45369 was published for utcp-cli (pip) May 14, 2026
ZeroXJacks Credited to ZeroXJacks
Dulwich Arbitrary code execution via commit with directory path starting with .git Critical
CVE-2014-9706 was published for dulwich (pip) May 17, 2022
DEVSOG12 Credited to DEVSOG12
ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView Critical
CVE-2026-42601 was published for archivebox (pip) May 4, 2026
q1uf3ng Credited to q1uf3ng
Compromise of PyTorch Lightning PyPi Package Versions Critical
CVE-2026-44484 was published for pytorch-lightning (pip) May 7, 2026
misp-modules website - Missing CSRF protection in the website home blueprint Critical
CVE-2026-44364 was published for misp-modules (pip) May 6, 2026
DavidCruciani Credited to DavidCruciani
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass Critical
CVE-2026-43948 was published for wger (pip) May 6, 2026
whatisproblem Credited to whatisproblem
django-s3file is vulnerable to relative path traversal Critical
CVE-2026-42196 was published for django-s3file (pip) May 5, 2026
stsewd Credited to stsewd and amureki amureki amureki
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database