Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,931
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,382
Swift
56
Unreviewed advisories
All unreviewed
5,000+

133 advisories

Loading
zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood Moderate
CVE-2026-47184 was published for zeroconf (pip) May 29, 2026
NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes Moderate
CVE-2026-45554 was published for nicegui (pip) May 18, 2026
bitinerant Credited to bitinerant, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petabyte Allocation in KerasFileEditor) High
CVE-2026-0897 was published for keras (pip) May 6, 2026
HyperPS Credited to HyperPS
aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221) Low
GHSA-7mw3-79jq-xc7f was published for aiograpi (pip) May 6, 2026
python-multipart has Denial of Service via unbounded multipart part headers High
CVE-2026-42561 was published for python-multipart (pip) May 6, 2026
SinhSinhAn Credited to SinhSinhAn and intadd intadd intadd
ciguard: SCA HTTP client reads response body without size cap Moderate
CVE-2026-44219 was published for ciguard (pip) May 5, 2026
FITS GZIP decompression bomb in Pillow High
CVE-2026-40192 was published for pillow (pip) Apr 13, 2026
sammiee5311 Credited to sammiee5311
PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS Moderate
CVE-2026-40115 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits High
CVE-2026-40116 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit High
CVE-2026-33034 was published for Django (pip) Apr 7, 2026
strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions High
CVE-2026-35526 was published for strawberry-graphql (pip) Apr 6, 2026
JFOZ1010 Credited to JFOZ1010, patrick91, and bellini666 patrick91 patrick91
bellini666 bellini666
Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service High
CVE-2026-34824 was published for mesop (pip) Apr 3, 2026
tubadeligoz Credited to tubadeligoz
vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing Moderate
CVE-2026-34755 was published for vllm (pip) Apr 3, 2026
SEORY0 Credited to SEORY0, russellb, jperezdealgaba, DarkLight1337, and Isotr0py russellb russellb
jperezdealgaba jperezdealgaba DarkLight1337 DarkLight1337 Isotr0py Isotr0py
LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service) Moderate
CVE-2026-34052 was published for jupyterhub-ltiauthenticator (pip) Apr 3, 2026
yueyueL Credited to yueyueL
vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server Moderate
CVE-2026-34756 was published for vllm (pip) Apr 3, 2026
ez-lbz Credited to ez-lbz, russellb, and jperezdealgaba russellb russellb
jperezdealgaba jperezdealgaba
AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS Low
CVE-2026-34517 was published for aiohttp (pip) Apr 1, 2026
bekkaze Credited to bekkaze and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP has a Multipart Header Size Bypass Moderate
CVE-2026-34516 was published for aiohttp (pip) Apr 1, 2026
bekkaze Credited to bekkaze and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector Low
CVE-2026-34513 was published for aiohttp (pip) Apr 1, 2026
gonas0919 Credited to gonas0919
aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage Moderate
CVE-2026-22815 was published for aiohttp (pip) Apr 1, 2026
sg3-141-592 Credited to sg3-141-592 and Dreamsorcerer Dreamsorcerer Dreamsorcerer
openssl-encrypt: TOTP rate limiter is in-memory only — not shared across workers, lost on restart Critical
GHSA-h45m-mgcp-q388 was published for openssl-encrypt (pip) Mar 31, 2026
NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion Moderate
CVE-2026-33332 was published for nicegui (pip) Mar 19, 2026
aest3ra Credited to aest3ra, oxqnd, mjkim610, evnchn, Khaliun-sw1, and falkoschindler oxqnd oxqnd
mjkim610 mjkim610 evnchn evnchn Khaliun-sw1 Khaliun-sw1 falkoschindler falkoschindler
DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT High
CVE-2026-33155 was published for deepdiff (pip) Mar 18, 2026
am-periphery Credited to am-periphery
pypdf: manipulated stream length values can exhaust RAM Moderate
CVE-2026-31826 was published for pypdf (pip) Mar 11, 2026
iconnnjka Credited to iconnnjka and stefan6419846 stefan6419846 stefan6419846
RAGAS has an Arbitrary File Read vulnerability High
CVE-2025-45691 was published for ragas (pip) Mar 5, 2026
adithyan-ak Credited to adithyan-ak
Django vulnerable to Uncontrolled Resource Consumption High
CVE-2026-25673 was published for Django (pip) Mar 3, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database