GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,167 advisories
compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal
High
CVE-2026-45725
was published
for
compliance-trestle
(pip)
May 27, 2026
AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username
Moderate
CVE-2026-45309
was published
for
asyncssh
(pip)
May 27, 2026
Langroid has Prompt to SQL Injection, Leading to RCE
Critical
CVE-2026-25879
was published
for
langroid
(pip)
May 27, 2026
Weblate has a Server-Side Request Forgery issue
Moderate
CVE-2025-66407
was published
for
Weblate
(pip)
May 26, 2026
instagrapi: Unsafe signup challenge path handling in instagrapi
Moderate
GHSA-ggxf-37hm-9wqf
was published
for
instagrapi
(pip)
May 23, 2026
aiograpi: Unsafe signup challenge path handling
Moderate
CVE-2026-47157
was published
for
aiograpi
(pip)
May 23, 2026
Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance
Moderate
CVE-2026-46715
was published
for
Flask-Security-Too
(pip)
May 22, 2026
aiosend: Deserialization of request body before signature verification (Pre-auth DoS) in webhook handler
High
GHSA-7m8f-hgjq-8gc9
was published
for
aiosend
(pip)
May 22, 2026
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
Critical
CVE-2026-46703
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
BoxLite: Permission Bypass Allows Modification of Read-Only Files
Critical
CVE-2026-46695
was published
for
@boxlite-ai/boxlite
(Go)
May 21, 2026
Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580)
Moderate
CVE-2026-46678
was published
for
pydantic-ai
(pip)
May 21, 2026
FlaskBB: SSRF in get_image_info() via unrestricted avatar URL
Moderate
CVE-2026-46556
was published
for
flaskbb
(pip)
May 21, 2026
pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API
Moderate
CVE-2026-46561
was published
for
pyload-ng
(pip)
May 21, 2026
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
High
CVE-2026-46517
was published
for
lmdeploy
(pip)
May 21, 2026
Crawlee for Python: SSRF via sitemap-derived URLs
Low
CVE-2026-46497
was published
for
crawlee
(pip)
May 21, 2026
LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization
High
CVE-2026-46432
was published
for
lmdeploy
(pip)
May 21, 2026
wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None
High
GHSA-mw8f-w6p8-xrf4
was published
for
wger
(pip)
May 20, 2026
Diffusers: TOCTOU Trust Remote Code Bypass
High
CVE-2026-45804
was published
for
diffusers
(pip)
May 20, 2026
ProTip!
Advisories are also available from the
GraphQL API