Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,737
Maven
5,000+
npm
4,337
NuGet
764
pip
4,112
Pub
12
RubyGems
960
Rust
1,068
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,112 advisories

Loading
LangGraph's SQLite is vulnerable to SQL injection via metadata filter key in SQLite checkpointer list method High
GHSA-9rwj-6rc7-p77c was published for langgraph-checkpoint-sqlite (pip) Dec 10, 2025
VladimirEliTokarev yardenporat353
Credited to VladimirEliTokarev and yardenporat353
Cybersecurity AI (CAI) vulnerable to Command Injection in run_ssh_command_with_credentials Agent tool Critical
CVE-2025-67511 was published for cai-framework (pip) Dec 9, 2025
edoardottt
Credited to edoardottt
HTTP/HTTPS Traffic Interception Bypass in mad-proxy Moderate
CVE-2025-67485 was published for mad-proxy (pip) Dec 9, 2025
machphy
Credited to machphy
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates High
CVE-2025-65106 was published for langchain-core (pip) Nov 20, 2025
0xn3va
Credited to 0xn3va
NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content Moderate
CVE-2025-66470 was published for nicegui (pip) Dec 8, 2025
twmoon evnchn
falkoschindler
Credited to twmoon, evnchn, and falkoschindler
NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection Moderate
CVE-2025-66469 was published for nicegui (pip) Dec 8, 2025
twmoon evnchn
falkoschindler
Credited to twmoon, evnchn, and falkoschindler
Open Redirect Vulnerability in Taguette Moderate
CVE-2025-67502 was published for taguette (pip) Dec 9, 2025
yueyueL
Credited to yueyueL
NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read High
CVE-2025-66645 was published for nicegui (pip) Dec 9, 2025
y4rvin evnchn
falkoschindler
Credited to y4rvin, evnchn, and falkoschindler
ComposioHQ has a directory traversal vulnerability Moderate
CVE-2025-56427 was published for composio (pip) Dec 4, 2025
Ansible Community General Collection is vulnerable to exposure of sensitive information Moderate
CVE-2025-14010 was published for ansible (pip) Dec 4, 2025
reanguiano
Credited to reanguiano
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability High
CVE-2025-11201 was published for mlflow (pip) Oct 29, 2025
mueslo
Credited to mueslo
urllib3 streaming API improperly handles highly compressed data High
CVE-2025-66471 was published for urllib3 (pip) Dec 5, 2025
illia-v pquentin
sethmlarson Cycloctane stamparm
Credited to illia-v, pquentin, sethmlarson, Cycloctane, and stamparm
urllib3 allows an unbounded number of links in the decompression chain High
CVE-2025-66418 was published for urllib3 (pip) Dec 5, 2025
illia-v sethmlarson
pquentin
Credited to illia-v, sethmlarson, and pquentin
open-webui is Vulnerable to Incorrect Access Control Low
CVE-2025-63681 was published for open-webui (pip) Dec 4, 2025
Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration High
CVE-2025-30165 was published for vllm (pip) May 6, 2025
avioligo russellb
Credited to avioligo and russellb
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web High
CVE-2025-65958 was published for open-webui (pip) Dec 4, 2025
teolines
Credited to teolines
assyncmy is vulnerable to SQL injection via crafted dict keys Critical
CVE-2025-65896 was published for asyncmy (pip) Dec 2, 2025
Django is vulnerable to DoS via XML serializer text extraction Moderate
CVE-2025-64460 was published for Django (pip) Dec 2, 2025
mako is vulnerable to Regular Expression Denial of Service High
CVE-2022-40023 was published for mako (pip) Sep 16, 2022
Django is vulnerable to SQL injection in column aliases Moderate
CVE-2025-13372 was published for Django (pip) Dec 2, 2025
arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints Moderate
CVE-2025-66454 was published for arcade-mcp-server (pip) Dec 2, 2025
qi-scape
Credited to qi-scape
Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default High
CVE-2025-66416 was published for mcp (pip) Dec 2, 2025
Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation Low
CVE-2025-65858 was published for calibreweb (pip) Dec 2, 2025
vLLM vulnerable to remote code execution via transformers_utils/get_config High
CVE-2025-66448 was published for vllm (pip) Dec 2, 2025
Vancir Isotr0py
DarkLight1337 russellb
Credited to Vancir, Isotr0py, DarkLight1337, and russellb
Keras Directory Traversal Vulnerability High
CVE-2025-12060 was published for keras (pip) Dec 2, 2025
ready-research
Credited to ready-research
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database