Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,894
Erlang
38
GitHub Actions
38
Go
2,556
Maven
5,000+
npm
4,228
NuGet
747
pip
4,000
Pub
12
RubyGems
953
Rust
1,041
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,522 advisories

Loading
Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin High
CVE-2025-5279 was published for redshift-connector (pip) May 28, 2025
girotomas
Credited to girotomas
Amazon Redshift Python Connector vulnerable to SQL Injection High
CVE-2024-12745 was published for redshift_connector (pip) Dec 26, 2024
alikrubin
Credited to alikrubin
llama-index has Insecure Temporary File High
CVE-2025-7707 was published for llama-index (pip) Oct 13, 2025
Authlib is vulnerable to Denial of Service via Oversized JOSE Segments High
CVE-2025-61920 was published for authlib (pip) Oct 10, 2025
AL-Cybision
Credited to AL-Cybision
pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters High
CVE-2025-61773 was published for pyload-ng (pip) Oct 9, 2025
odaysec
Credited to odaysec
FastAPI Guard has a regex bypass High
CVE-2025-54365 was published for fastapi-guard (pip) Jul 23, 2025
dhki rennf93
Credited to dhki and rennf93
Litestar X-Forwarded-For Header Spoofing Vulnerability Enables Rate Limit Evasion High
CVE-2025-59152 was published for litestar (pip) Oct 6, 2025
crum7 takumi-san-ai
Credited to crum7 and takumi-san-ai
LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing High
CVE-2025-6985 was published for langchain-text-splitters (pip) Oct 6, 2025
chaliy
Credited to chaliy
vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class High
CVE-2025-6242 was published for vllm (pip) Oct 7, 2025
kexinoh d3do-23
lonelyuan huachenheli DarkLight1337 russellb sidhpurwala-huzaifa
Credited to kexinoh, d3do-23, lonelyuan, huachenheli, DarkLight1337, russellb, and sidhpurwala-huzaifa
LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities High
CVE-2025-61784 was published for llamafactory (pip) Oct 7, 2025
d3do-23 kexinoh
lonelyuan
Credited to d3do-23, kexinoh, and lonelyuan
vLLM is vulnerable to timing attack at bearer auth High
CVE-2025-59425 was published for vllm (pip) Oct 7, 2025
russellb
Credited to russellb
Withdrawn Advisory: Python-Future Module Arbitrary Code Execution via Unintended Import of test.py High
CVE-2025-50817 was published for future (pip) Aug 14, 2025 withdrawn
BarrensZeppelin
Credited to BarrensZeppelin
ExecuTorch vulnerable to Heap-based Buffer Overflow attack High
CVE-2025-30402 was published for executorch (Maven) Jul 11, 2025
Fidget-Grep
Credited to Fidget-Grep
Django vulnerable to SQL injection in column aliases High
CVE-2025-59681 was published for django (pip) Oct 1, 2025
Gunicorn HTTP Request/Response Smuggling vulnerability High
CVE-2024-6827 was published for gunicorn (pip) Mar 20, 2025
xzpjerry
Credited to xzpjerry
Request smuggling leading to endpoint restriction bypass in Gunicorn High
CVE-2024-1135 was published for gunicorn (pip) Apr 16, 2024
MLFlow unsafe deserialization High
CVE-2024-37059 was published for mlflow (pip) Jun 4, 2024
llama-index-core insecurely handles temporary files High
CVE-2025-7647 was published for llama-index-core (pip) Sep 27, 2025
xml2rfc is vulnerable to arbitrary file reads through prepped files High
CVE-2025-11059 was published for xml2rfc (pip) Sep 10, 2025
xml2rfc has an arbitrary file read vulnerability High
CVE-2025-11058 was published for xml2rfc (pip) Aug 26, 2025
Monai: Unsafe use of Pickle deserialization may lead to RCE High
CVE-2025-58757 was published for monai (pip) Sep 9, 2025
h3rrr
Credited to h3rrr
MONAI: Unsafe torch usage may lead to arbitrary code execution High
CVE-2025-58756 was published for monai (pip) Sep 9, 2025
h3rrr
Credited to h3rrr
MONAI does not prevent path traversal, potentially leading to arbitrary file writes High
CVE-2025-58755 was published for monai (pip) Sep 9, 2025
h3rrr
Credited to h3rrr
Keras is vulnerable to Deserialization of Untrusted Data High
CVE-2025-9906 was published for keras (pip) Sep 19, 2025
cai0duque
Credited to cai0duque
Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass) High
CVE-2025-59420 was published for authlib (pip) Sep 22, 2025
AL-Cybision
Credited to AL-Cybision
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database