Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

4,798 advisories

Loading
pretalx vulnerable to stored cross-site scripting in organizer search typeahead High
GHSA-cjcx-jfp2-f7m2 was published for pretalx (pip) Apr 18, 2026
pretalx mail templates vulnerable to email injection via unescaped user-controlled placeholders Moderate
GHSA-jm8c-9f3j-4378 was published for pretalx (pip) Apr 18, 2026
markfijneman Credited to markfijneman
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations High
GHSA-mjw2-v2hm-wj34 was published for dagster (pip) Apr 18, 2026
alexwaira Credited to alexwaira, vyprsec-research, and romain-deperne vyprsec-research vyprsec-research
romain-deperne romain-deperne
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315) High
GHSA-rg3h-x3jw-7jm5 was published for praisonai (pip) Apr 17, 2026
BerSecHub Credited to BerSecHub
Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI Critical
GHSA-9qhq-v63v-fv3j was published for praisonai (pip) Apr 17, 2026
Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures Low
CVE-2026-35402 was published for mcp-neo4j-cypher (pip) Apr 17, 2026
yotampe-pluto Credited to yotampe-pluto
Sentry: Improper authentication on SAML SSO process allows user identity linking Critical
CVE-2026-27197 was published for sentry (pip) Apr 17, 2026
Muhammad-Qasim-Munir Credited to Muhammad-Qasim-Munir
langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding Low
GHSA-r7w7-9xr2-qq2r was published for langchain-openai (pip) Apr 16, 2026
deprrous Credited to deprrous
LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass Moderate
GHSA-fv5p-p927-qmxr was published for langchain-text-splitters (pip) Apr 16, 2026
Aeg1sx Credited to Aeg1sx
Authlib: Cross-site request forging when using cache Moderate
GHSA-jj8c-mmj3-mmgv was published for authlib (pip) Apr 16, 2026
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM Moderate
GHSA-x284-j5p8-9c5p was published for pypdf (pip) Apr 16, 2026
l3b4nk4 Credited to l3b4nk4 and stefan6419846 stefan6419846 stefan6419846
pypdf: Possible long runtimes for wrong size values in incremental mode Moderate
GHSA-4pxv-j86v-mhcw was published for pypdf (pip) Apr 16, 2026
l3b4nk4 Credited to l3b4nk4 and stefan6419846 stefan6419846 stefan6419846
pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM Moderate
GHSA-7gw9-cf7v-778f was published for pypdf (pip) Apr 16, 2026
l3b4nk4 Credited to l3b4nk4 and stefan6419846 stefan6419846 stefan6419846
Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates Moderate
CVE-2026-40602 was published for homeassistant-cli (pip) Apr 16, 2026
heyitsPiyush Credited to heyitsPiyush and fabaff fabaff fabaff
Mako: Path traversal via double-slash URI prefix in TemplateLookup Moderate
GHSA-v92g-xgxw-vvmm was published for Mako (pip) Apr 16, 2026
0xHunSec Credited to 0xHunSec
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision Moderate
CVE-2026-40256 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and M9nx M9nx M9nx
Weblate: SSRF via the webhook add-on using unprotected fetch_url() Moderate
CVE-2026-39845 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel
Weblate: Privilege escalation in the user API endpoint High
CVE-2026-34393 was published for weblate (pip) Apr 16, 2026
tikket1 Credited to tikket1, nijel, and DavidCarliez nijel nijel
DavidCarliez DavidCarliez
Weblate: SSRF via Project-Level Machinery Configuration Moderate
CVE-2026-34244 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez, nijel, and amCap1712 nijel nijel
amCap1712 amCap1712
Weblate: Arbitrary File Read via Symlink High
CVE-2026-34242 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez
Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads Moderate
CVE-2026-33440 was published for weblate (pip) Apr 16, 2026
spbavarva Credited to spbavarva and nijel nijel nijel
Weblate: Remote code execution during backup restoration High
CVE-2026-33435 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and amCap1712 amCap1712 amCap1712
Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository Moderate
CVE-2026-33220 was published for weblate (pip) Apr 16, 2026
spbavarva Credited to spbavarva and nijel nijel nijel
Weblate: Improper access control for the translation memory in API Moderate
CVE-2026-33214 was published for weblate (pip) Apr 16, 2026
Weblate: Improper access control for pending tasks in API Low
CVE-2026-33212 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database