Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,894
Erlang
38
GitHub Actions
38
Go
2,558
Maven
5,000+
npm
4,232
NuGet
751
pip
4,001
Pub
12
RubyGems
953
Rust
1,042
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,643 advisories

Loading
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name Moderate
CVE-2025-62172 was published for homeassistant (pip) Oct 14, 2025
pwnpanda
Credited to pwnpanda
Authlib : JWE zip=DEF decompression bomb enables DoS Moderate
GHSA-g7f3-828f-7h7m was published for authlib (pip) Oct 10, 2025
AL-Cybision
Credited to AL-Cybision
python-ldap is Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination Moderate
CVE-2025-61912 was published for python-ldap (pip) Oct 10, 2025
aradona91
Credited to aradona91
python-ldap has sanitization bypass in ldap.filter.escape_filter_chars Moderate
CVE-2025-61911 was published for python-ldap (pip) Oct 10, 2025
lukas-eu
Credited to lukas-eu
BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver Moderate
CVE-2025-10281 was published for bbot (pip) Oct 9, 2025
justinsteven liquidsec
Credited to justinsteven and liquidsec
Python Social Auth - Django has unsafe account association Moderate
CVE-2025-61783 was published for social-auth-app-django (pip) Oct 9, 2025
mel-mason vanya909
nijel
Credited to mel-mason, vanya909, and nijel
Synapse's invalid device keys degrade federation functionality Moderate
CVE-2025-61672 was published for matrix-synapse (pip) Oct 8, 2025
dkasak
Credited to dkasak
vLLM: Resource-Exhaustion (DoS) through Malicious Jinja Template in OpenAI-Compatible Server Moderate
CVE-2025-61620 was published for vllm (pip) Oct 7, 2025
key-moon Ga-ryo
Alnusjaponica Isotr0py DarkLight1337
Credited to key-moon, Ga-ryo, Alnusjaponica, Isotr0py, and DarkLight1337
python-socketio vulnerable to arbitrary Python code execution (RCE) through malicious pickle deserialization in certain multi-server deployments Moderate
CVE-2025-61765 was published for python-socketio (pip) Oct 7, 2025
locus-x64
Credited to locus-x64
clearml is vulnerable to Path Traversal through its `safe_extract` function Moderate
CVE-2025-8917 was published for clearml (pip) Oct 5, 2025
ZenML is vulnerable to Path Traversal through its `PathMaterializer` class Moderate
CVE-2025-8406 was published for zenml (pip) Oct 5, 2025
NiceGUI has a Reflected XSS Moderate
CVE-2025-53354 was published for nicegui (pip) Oct 3, 2025
oxqnd
Credited to oxqnd
marimo vulnerable to proxy abuse of /mpl/{port}/ Moderate
GHSA-xjv7-6w92-42r7 was published for marimo (pip) Oct 1, 2025
acepace
Credited to acepace
SPDK is vulnerable to buffer overflow in the NVMe-oF target component Moderate
CVE-2025-57275 was published for spdk (pip) Oct 1, 2025
mkdocs-include-markdown-plugin susceptible to unvalidated input colliding with substitution placeholders Moderate
CVE-2025-59940 was published for mkdocs-include-markdown-plugin (pip) Sep 29, 2025
mondeja
Credited to mondeja
Apache Airflow: Connection sensitive details exposed to users with READ permissions Moderate
CVE-2025-54831 was published for apache-airflow (pip) Sep 26, 2025
ml-logger file handler allows reading arbitrary files Moderate
CVE-2025-10952 was published for ml-logger (pip) Sep 25, 2025
ml-logger has path traversal in the file argument Moderate
CVE-2025-10951 was published for ml-logger (pip) Sep 25, 2025
Llama Stack could potentially allow for remote code execution Moderate
CVE-2025-55178 was published for llama-stack (pip) Sep 24, 2025
pip's fallback tar extraction doesn't check symbolic links point to extraction directory Moderate
CVE-2025-8869 was published for pip (pip) Sep 24, 2025
cai0duque bentasker
swils23
Credited to cai0duque, bentasker, and swils23
Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer Moderate
CVE-2025-6921 was published for transformers (pip) Sep 23, 2025
CodeChecker has a buffer overflow in the log command Moderate
CVE-2025-40843 was published for codechecker (pip) Sep 22, 2025
barnabasdomozi
Credited to barnabasdomozi
mcp-kubernetes-server has a Command Injection vulnerability Moderate
CVE-2025-59376 was published for mcp-kubernetes-server (pip) Sep 15, 2025
cai0duque
Credited to cai0duque
Hugging Face Transformers library has Regular Expression Denial of Service Moderate
CVE-2025-6051 was published for transformers (pip) Sep 14, 2025
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer Moderate
CVE-2025-6638 was published for transformers (pip) Sep 12, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database