Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,766
Maven
5,000+
npm
4,371
NuGet
767
pip
4,144
Pub
12
RubyGems
962
Rust
1,070
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,574 advisories

Loading
Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification High
GHSA-83jg-m2pm-4jxj was published for cowrie (pip) Dec 20, 2025
filippolauria
Credited to filippolauria
External Control of File Name or Path in Langflow High
CVE-2025-68478 was published for langflow (pip) Dec 19, 2025
J1vvoo
Credited to J1vvoo
Langflow vulnerable to Server-Side Request Forgery High
CVE-2025-68477 was published for langflow (pip) Dec 19, 2025
im-soohyun
Credited to im-soohyun
Weblate has an arbitrary file read via symbolic links High
CVE-2025-68279 was published for Weblate (pip) Dec 18, 2025
secjson nijel
Credited to secjson and nijel
nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows High
CVE-2025-53000 was published for nbconvert (pip) Dec 18, 2025
dlqqq krassowski
yohannslm
Credited to dlqqq, krassowski, and yohannslm
Fickling has Code Injection vulnerability via pty.spawn() High
CVE-2025-67748 was published for fickling (pip) Dec 15, 2025
0x00nier
Credited to 0x00nier
Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list High
CVE-2025-67747 was published for fickling (pip) Dec 15, 2025
0x00nier
Credited to 0x00nier
Universal Tool Calling Protocol (UTCP) client library for Python vulnerable to Trust Boundary Violation through Manual JSON specification High
CVE-2025-14542 was published for utcp (pip) Dec 13, 2025
LangGraph's SQLite is vulnerable to SQL injection via metadata filter key in SQLite checkpointer list method High
CVE-2025-67644 was published for langgraph-checkpoint-sqlite (pip) Dec 10, 2025
VladimirEliTokarev yardenporat353
Credited to VladimirEliTokarev and yardenporat353
NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read High
CVE-2025-66645 was published for nicegui (pip) Dec 9, 2025
y4rvin evnchn
falkoschindler
Credited to y4rvin, evnchn, and falkoschindler
urllib3 streaming API improperly handles highly compressed data High
CVE-2025-66471 was published for urllib3 (pip) Dec 5, 2025
illia-v pquentin
sethmlarson Cycloctane stamparm
Credited to illia-v, pquentin, sethmlarson, Cycloctane, and stamparm
urllib3 allows an unbounded number of links in the decompression chain High
CVE-2025-66418 was published for urllib3 (pip) Dec 5, 2025
illia-v sethmlarson
pquentin
Credited to illia-v, sethmlarson, and pquentin
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web High
CVE-2025-65958 was published for open-webui (pip) Dec 4, 2025
teolines
Credited to teolines
vLLM vulnerable to remote code execution via transformers_utils/get_config High
CVE-2025-66448 was published for vllm (pip) Dec 2, 2025
Vancir Isotr0py
DarkLight1337 russellb
Credited to Vancir, Isotr0py, DarkLight1337, and russellb
Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default High
CVE-2025-66416 was published for mcp (pip) Dec 2, 2025
Keras Directory Traversal Vulnerability High
CVE-2025-12060 was published for keras (pip) Dec 2, 2025
ready-research
Credited to ready-research
trytond does not enforce access rights for the route of the HTML editor. High
CVE-2025-66423 was published for trytond (pip) Nov 30, 2025
Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack High
CVE-2025-12638 was published for Keras (pip) Nov 28, 2025 withdrawn
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer High
CVE-2025-62703 was published for fugue (pip) Nov 25, 2025
Chenpinji
Credited to Chenpinji
Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices High
CVE-2025-13609 was published for keylime (pip) Nov 24, 2025
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs High
CVE-2025-62372 was published for vllm (pip) Nov 20, 2025
DarkLight1337 ywang96
Isotr0py russellb
Credited to DarkLight1337, ywang96, Isotr0py, and russellb
vLLM deserialization vulnerability leading to DoS and potential RCE High
CVE-2025-62164 was published for vllm (pip) Nov 20, 2025
omriaxion russellb
DarkLight1337 Isotr0py ywang96 davidaxion
Credited to omriaxion, russellb, DarkLight1337, Isotr0py, ywang96, and davidaxion
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates High
CVE-2025-65106 was published for langchain-core (pip) Nov 20, 2025
0xn3va
Credited to 0xn3va
OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization. High
CVE-2025-65073 was published for keystone (pip) Nov 17, 2025
AWS Advanced Python Wrapper: Privilege Escalation in Aurora PostgreSQL instance High
CVE-2025-12967 was published for aws_advanced_python_wrapper (pip) Nov 13, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database