Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,876
Erlang
37
GitHub Actions
37
Go
2,526
Maven
5,000+
npm
4,191
NuGet
742
pip
3,968
Pub
12
RubyGems
947
Rust
1,030
Swift
39
Unreviewed advisories
All unreviewed
5,000+

1,628 advisories

Loading
pip's fallback tar extraction doesn't check symbolic links point to extraction directory Moderate
CVE-2025-8869 was published for pip (pip) Sep 24, 2025
cai0duque
Apache Airflow: Connection sensitive details exposed to users with READ permissions Moderate
CVE-2025-54831 was published for apache-airflow (pip) Sep 26, 2025
ml-logger file handler allows reading arbitrary files Moderate
CVE-2025-10952 was published for ml-logger (pip) Sep 25, 2025
Hugging Face Transformers Regular Expression Denial of Service Moderate
CVE-2025-2099 was published for transformers (pip) May 19, 2025
cai0duque
mcp-kubernetes-server has a Command Injection vulnerability Moderate
CVE-2025-59376 was published for mcp-kubernetes-server (pip) Sep 15, 2025
cai0duque
ml-logger has path traversal in the file argument Moderate
CVE-2025-10951 was published for ml-logger (pip) Sep 25, 2025
Llama Stack could potentially allow for remote code execution Moderate
CVE-2025-55178 was published for llama-stack (pip) Sep 24, 2025
Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer Moderate
CVE-2025-6921 was published for transformers (pip) Sep 23, 2025
CodeChecker has a buffer overflow in the log command Moderate
CVE-2025-40843 was published for codechecker (pip) Sep 22, 2025
barnabasdomozi
Hugging Face Transformers library has Regular Expression Denial of Service Moderate
CVE-2025-6051 was published for transformers (pip) Sep 14, 2025
django CMS Cross-Site Scripting (XSS) Moderate
CVE-2024-11319 was published for django-cms (pip) Nov 18, 2024
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer Moderate
CVE-2025-6638 was published for transformers (pip) Sep 12, 2025
Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods Moderate
CVE-2025-58065 was published for flask-appbuilder (pip) Sep 11, 2025
Fides Webserver API Rate Limiting Vulnerability in Proxied Environments Moderate
CVE-2025-57816 was published for ethyca-fides (pip) Sep 8, 2025
daveqnet eastandwestwind
erosselli
MLFlow SSRF via gateway_proxy_handler Moderate
CVE-2025-52967 was published for mlflow (pip) Jun 23, 2025
steffenkyhn-git
copyparty: Sharing a single file does not fully restrict access to other files in source folder Moderate
CVE-2025-58753 was published for copyparty (pip) Sep 9, 2025
xgrammar vulnerable to denial of service by huge enum grammar Moderate
CVE-2025-58446 was published for xgrammar (pip) Sep 5, 2025
xendo
Infrahub: Deleted and expired API tokens can still authenticate Moderate
CVE-2025-59036 was published for infrahub-server (pip) Sep 10, 2025
fatih-acar
Indico vulnerable to Cross-Site Scripting via LaTeX math code Moderate
CVE-2025-59035 was published for indico (pip) Sep 10, 2025
ThiefMaster
Indico may disclose unauthorized user details access via legacy API Moderate
CVE-2025-59034 was published for indico (pip) Sep 10, 2025
inkz
copyparty vulnerable to reflected cross-site scripting via k304 parameter Moderate
CVE-2023-38501 was published for copyparty (pip) Jul 25, 2023
TheHackyDog
MobSF Vulnerable to Arbitrary File Write (AR-Slip) via Absolute Path in .a Extraction Moderate
CVE-2025-58162 was published for mobsf (pip) Sep 2, 2025
noname1337h1
Local Deep Research's API keys are stored in plain text Moderate
CVE-2025-57806 was published for local-deep-research (pip) Sep 2, 2025
i-d-lytvynenko
PyTorch Improper Resource Shutdown or Release vulnerability Moderate
CVE-2025-3730 was published for torch (pip) Apr 16, 2025
ferdlestier szuliq
Eventlet affected by HTTP request smuggling in unparsed trailers Moderate
CVE-2025-58068 was published for eventlet (pip) Aug 29, 2025
sebastianosrt
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database