Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

5,736 advisories

Loading
PocketSphinx: Buffer overflows in language and acoustic model loading code Moderate
CVE-2026-54559 was published for pocketsphinx (pip) Jul 17, 2026
damseleng Credited to damseleng
x0root Credited to x0root
hackkim Credited to hackkim
Prompty: Arbitrary file read via file reference expansion High
CVE-2026-53598 was published for @prompty/core (npm) Jul 17, 2026
meta-ads-mcp: X-Pipeboard-Token Header Auth Bypass Reuses Operator Meta Token High
CVE-2026-54547 was published for meta-ads-mcp (pip) Jul 17, 2026
EQSTLab Credited to EQSTLab
EQSTLab Credited to EQSTLab and useworld useworld useworld
sh _uid does not drop supplementary groups (incomplete privilege drop) High
CVE-2026-54552 was published for sh (pip) Jul 17, 2026
Gares95 Credited to Gares95
plone.restapi: Stored XSS by spoofing mime type Moderate
GHSA-8rqh-vxpr-x77p was published for plone.restapi (pip) Jul 17, 2026
gyst Credited to gyst
plone.app.textfield: Stored XSS by spoofing mime type Moderate
CVE-2026-54503 was published for plone.app.textfield (pip) Jul 17, 2026
gyst Credited to gyst
vLLM: Speech-to-text upload size limit is enforced after full UploadFile read Moderate
CVE-2026-55646 was published for vllm (pip) Jul 17, 2026
rexpository Credited to rexpository and jperezdealgaba jperezdealgaba jperezdealgaba
brodmart Credited to brodmart and jperezdealgaba jperezdealgaba jperezdealgaba
vLLM has Remote DoS via Invalid Recovered Token Reinjection High
CVE-2026-54234 was published for vllm (pip) Jul 17, 2026
NeilAlfred Credited to NeilAlfred and jperezdealgaba jperezdealgaba jperezdealgaba
kexinoh Credited to kexinoh, russellb, DarkLight1337, and Isotr0py russellb russellb
DarkLight1337 DarkLight1337 Isotr0py Isotr0py
MCP Python SDK: WebSocket server transport does not support Host/Origin validation High
CVE-2026-59950 was published for mcp (pip) Jul 16, 2026
nitish-yaddala Credited to nitish-yaddala, Nadav0077, dodge1218, gistrec, and u-ktdi Nadav0077 Nadav0077
dodge1218 dodge1218 gistrec gistrec u-ktdi u-ktdi
srikanthramu Credited to srikanthramu and hewei-gikaku hewei-gikaku hewei-gikaku
cjmielke Credited to cjmielke, dewankpant, and shrutilohani dewankpant dewankpant
shrutilohani shrutilohani
dd-trace-py: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50271 was published for ddtrace (pip) Jul 15, 2026
django-haystack: Remote Code Execution via `eval()` in Elasticsearch Result Deserialization High
GHSA-r3hx-x5rh-p9vv was published for django-haystack (pip) Jul 15, 2026
Pixeldrain API key shared with unverified thirdparty sites Moderate
CVE-2026-54254 was published for cyberdrop-dl-patched (pip) Jul 15, 2026
NTFSvolume Credited to NTFSvolume
TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint High
CVE-2026-54457 was published for tensorzero (pip) Jul 15, 2026
geo-chen Credited to geo-chen
vittorio-prodomo Credited to vittorio-prodomo, mo-getter, benjaminpkane, kevin-dimichel, AdonaiVera, and AAtomical mo-getter mo-getter
benjaminpkane benjaminpkane kevin-dimichel kevin-dimichel AdonaiVera AdonaiVera AAtomical AAtomical
LangBot: Authenticated RCE Via MCP Configuration High
CVE-2026-54449 was published for langbot (pip) Jul 15, 2026
MosesOX Credited to MosesOX
garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store High
CVE-2026-54447 was published for garminconnect (pip) Jul 15, 2026
EQSTLab Credited to EQSTLab and 232-323 232-323 232-323
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode High
CVE-2026-54446 was published for netlicensing-mcp (pip) Jul 14, 2026
EQSTLab Credited to EQSTLab
Wasmtime: Memory leak in C API with `externref` and `anyref` types Low
CVE-2025-61670 was published for wasmtime-bin (pip) Jul 14, 2026
alexcrichton Credited to alexcrichton
ProTip! Advisories are also available from the GraphQL API