GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,340
Maven
5,000+
npm
5,000+
NuGet
1,033
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,498
Swift
61
Unreviewed advisories
All unreviewed
5,000+
5,736 advisories
Filter by severity
PocketSphinx: Buffer overflows in language and acoustic model loading code
Moderate
CVE-2026-54559
was published
for
pocketsphinx
(pip)
Jul 17, 2026
PRoot-Distro has Path Traversal in proot-distro copy — Arbitrary Read, Write, and Persistent Code Execution Outside Container Rootfs
Moderate
GHSA-mfr4-mq8w-vmg6
was published
for
proot-distro
(pip)
Jul 17, 2026
Flask-Reuploaded: Extension-denylist bypass via case-folding asymmetry in name-override path (incomplete-fix variant of CVE-2026-27641)
High
CVE-2026-54567
was published
for
Flask-Reuploaded
(pip)
Jul 17, 2026
Prompty: Arbitrary file read via file reference expansion
High
CVE-2026-53598
was published
for
@prompty/core
(npm)
Jul 17, 2026
meta-ads-mcp: X-Pipeboard-Token Header Auth Bypass Reuses Operator Meta Token
High
CVE-2026-54547
was published
for
meta-ads-mcp
(pip)
Jul 17, 2026
meta-ads-mcp: Server-Side Request Forgery (SSRF) in `upload_ad_image` via Unrestricted `image_url` Fetch
High
CVE-2026-54549
was published
for
meta-ads-mcp
(pip)
Jul 17, 2026
sh _uid does not drop supplementary groups (incomplete privilege drop)
High
CVE-2026-54552
was published
for
sh
(pip)
Jul 17, 2026
plone.restapi: Stored XSS by spoofing mime type
Moderate
GHSA-8rqh-vxpr-x77p
was published
for
plone.restapi
(pip)
Jul 17, 2026
plone.app.textfield: Stored XSS by spoofing mime type
Moderate
CVE-2026-54503
was published
for
plone.app.textfield
(pip)
Jul 17, 2026
vLLM: Speech-to-text upload size limit is enforced after full UploadFile read
Moderate
CVE-2026-55646
was published
for
vllm
(pip)
Jul 17, 2026
vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outlines backends
High
CVE-2026-55574
was published
for
vllm
(pip)
Jul 17, 2026
vLLM has Remote DoS via Invalid Recovered Token Reinjection
High
CVE-2026-54234
was published
for
vllm
(pip)
Jul 17, 2026
vLLM: Processing differential in multi-channel audio downmixing enables hidden-input/moderation bypass for audio models
Moderate
CVE-2026-34760
was published
for
vllm
(pip)
Jul 17, 2026
MCP Python SDK: WebSocket server transport does not support Host/Origin validation
High
CVE-2026-59950
was published
for
mcp
(pip)
Jul 16, 2026
MCP Python SDK: HTTP transports serve session requests without verifying the authenticated principal
High
CVE-2026-52869
was published
for
mcp
(pip)
Jul 16, 2026
MCP Python SDK: Experimental task handlers allow any client to access and cancel other clients' tasks
High
CVE-2026-52870
was published
for
mcp
(pip)
Jul 16, 2026
dd-trace-py: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50271
was published
for
ddtrace
(pip)
Jul 15, 2026
django-haystack: Remote Code Execution via `eval()` in Elasticsearch Result Deserialization
High
GHSA-r3hx-x5rh-p9vv
was published
for
django-haystack
(pip)
Jul 15, 2026
Pixeldrain API key shared with unverified thirdparty sites
Moderate
CVE-2026-54254
was published
for
cyberdrop-dl-patched
(pip)
Jul 15, 2026
TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint
High
CVE-2026-54457
was published
for
tensorzero
(pip)
Jul 15, 2026
FiftyOne App server uses wildcard CORS (Access-Control-Allow-Origin: *), enabling cross-origin reads of local server data
Moderate
CVE-2026-53656
was published
for
fiftyone
(pip)
Jul 15, 2026
LangBot: Authenticated RCE Via MCP Configuration
High
CVE-2026-54449
was published
for
langbot
(pip)
Jul 15, 2026
garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store
High
CVE-2026-54447
was published
for
garminconnect
(pip)
Jul 15, 2026
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode
High
CVE-2026-54446
was published
for
netlicensing-mcp
(pip)
Jul 14, 2026
Wasmtime: Memory leak in C API with `externref` and `anyref` types
Low
CVE-2025-61670
was published
for
wasmtime-bin
(pip)
Jul 14, 2026
ProTip!
Advisories are also available from the
GraphQL API