Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,685
Maven
5,000+
npm
4,318
NuGet
760
pip
4,092
Pub
12
RubyGems
958
Rust
1,063
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,678 advisories

Loading
Werkzeug safe_join() allows Windows special device names Moderate
CVE-2025-66221 was published for werkzeug (pip) Dec 2, 2025
Oblivionsage
Credited to Oblivionsage
fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib Moderate
CVE-2025-66034 was published for fonttools (pip) Dec 1, 2025
ntandiono vk-can
Credited to ntandiono and vk-can
trytond allows remote attackers to obtain sensitive trace-back (server setup) information Moderate
CVE-2025-66422 was published for trytond (pip) Nov 30, 2025
trytond does not enforce access rights for data export Moderate
CVE-2025-66424 was published for trytond (pip) Nov 30, 2025
Peppol-py is vulnerable to XXE attacks due to Saxon configuration Moderate
CVE-2025-66371 was published for peppol_py (pip) Nov 28, 2025
OpenStack's Mistral Client has a local file inclusion vulnerability Moderate
CVE-2021-4472 was published for python-mistralclient (pip) Nov 26, 2025
pypdf's LZWDecode streams be manipulated to exhaust RAM Moderate
CVE-2025-66019 was published for pypdf (pip) Nov 24, 2025
aydinnyunus stefan6419846
Credited to aydinnyunus and stefan6419846
MLX has Wild Pointer Dereference in load_gguf() Moderate
CVE-2025-62609 was published for mlx (pip) Nov 21, 2025
wickgit mmudryi
markiyanch
Credited to wickgit, mmudryi, and markiyanch
MLX has heap-buffer-overflow in load() Moderate
CVE-2025-62608 was published for mlx (pip) Nov 21, 2025
wickgit mmudryi
markiyanch
Credited to wickgit, mmudryi, and markiyanch
vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs` Moderate
CVE-2025-62426 was published for vllm (pip) Nov 20, 2025
russellb Isotr0py
DarkLight1337
Credited to russellb, Isotr0py, and DarkLight1337
pgAdmin 4 has command injection vulnerability on Windows systems Moderate
CVE-2025-12763 was published for pgadmin4 (pip) Nov 13, 2025
AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64 Moderate
CVE-2025-57697 was published for AstrBot (pip) Nov 7, 2025
Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode Moderate
CVE-2025-58337 was published for doris-mcp-server (pip) Nov 5, 2025
lirantal
Credited to lirantal
OctoPrint vulnerable to XSS in Action Commands Notification and Prompt Moderate
CVE-2025-64187 was published for octoprint (pip) Nov 4, 2025
jacopotediosi
Credited to jacopotediosi
DSPy does not properly restrict file reads Moderate
CVE-2025-12695 was published for dspy (pip) Nov 4, 2025
Ansible does not collect garbage after playbook run Moderate
CVE-2020-25635 was published for ansible (pip) Oct 31, 2025
cryptidy allows code execution via untrusted data due to pickle.loads Moderate
CVE-2025-63675 was published for cryptidy (pip) Oct 31, 2025
Apache Airflow has a command injection vulnerability in "example_dag_decorator" Moderate
CVE-2025-54941 was published for apache-airflow (pip) Oct 30, 2025
Apache Airflow's create action can upsert existing Pools/Connections/Variables Moderate
CVE-2025-62503 was published for apache-airflow (pip) Oct 30, 2025
Apache Airflow `/api/v2/dagReports` executes DAG Python in API Moderate
CVE-2025-62402 was published for apache-airflow (pip) Oct 30, 2025
OpenUSD File Parsing Use-After-Free Remote Code Execution Vulnerability Moderate
GHSA-grjp-54v3-c442 was published for usd-core (pip) Oct 29, 2025
uv allows ZIP payload obfuscation through parsing differentials Moderate
GHSA-pqhf-p39g-3x64 was published for uv (pip) Oct 29, 2025
calebbrown woodruffw
zanieb
Credited to calebbrown, woodruffw, and zanieb
CKAN vulnerable to fixed session IDs Moderate
CVE-2025-64100 was published for ckan (pip) Oct 29, 2025
FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name Moderate
CVE-2025-62801 was published for fastmcp (pip) Oct 29, 2025
nil340
Credited to nil340
FastMCP vulnerable to reflected XSS in client's callback page Moderate
CVE-2025-62800 was published for fastmcp (pip) Oct 29, 2025
an7y
Credited to an7y
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database