Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,963
Erlang
39
GitHub Actions
38
Go
2,615
Maven
5,000+
npm
4,255
NuGet
760
pip
4,036
Pub
12
RubyGems
953
Rust
1,049
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,533 advisories

Loading
Agno session state overwrites between different sessions/users High
CVE-2025-64168 was published for agno (pip) Oct 31, 2025
JasonLovesDoggo
Credited to JasonLovesDoggo
Brotli is vulnerable to a denial of service (DoS) attack due to decompression High
CVE-2025-6176 was published for brotli (pip) Oct 31, 2025
Keras keras.utils.get_file API is vulnerable to a path traversal attack High
CVE-2025-12060 was published for keras (pip) Oct 30, 2025
LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore High
CVE-2025-64104 was published for langgraph-checkpoint-sqlite (pip) Oct 29, 2025
ColeMurray
Credited to ColeMurray
FastMCP Auth Integration Allows for Confused Deputy Account Takeover High
GHSA-c2jp-c369-7pvx was published for fastmcp (pip) Oct 29, 2025
localden
Credited to localden
Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse`` High
CVE-2025-62727 was published for starlette (pip) Oct 28, 2025
ch4n3-yoon
Credited to ch4n3-yoon
pg8000 SQL injection vulnerability via a specially crafted Python list input High
CVE-2025-61385 was published for pg8000 (pip) Oct 27, 2025
LangGraph's SQLite store implementation has a SQL Injection Vulnerability High
CVE-2025-8709 was published for langgraph-checkpoint-sqlite (pip) Oct 26, 2025
aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server High
CVE-2025-62611 was published for aiomysql (pip) Oct 22, 2025
KonstantAnxiety
Credited to KonstantAnxiety
Taguette password reset link poisoning High
CVE-2025-62527 was published for taguette (pip) Oct 20, 2025
emilvirkki
Credited to emilvirkki
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name High
CVE-2025-62172 was published for homeassistant (pip) Oct 14, 2025
pwnpanda
Credited to pwnpanda
llama-index has Insecure Temporary File High
CVE-2025-7707 was published for llama-index (pip) Oct 13, 2025
Authlib is vulnerable to Denial of Service via Oversized JOSE Segments High
CVE-2025-61920 was published for authlib (pip) Oct 10, 2025
AL-Cybision
Credited to AL-Cybision
pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters High
CVE-2025-61773 was published for pyload-ng (pip) Oct 9, 2025
odaysec
Credited to odaysec
vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class High
CVE-2025-6242 was published for vllm (pip) Oct 7, 2025
kexinoh d3do-23
lonelyuan huachenheli DarkLight1337 russellb sidhpurwala-huzaifa
Credited to kexinoh, d3do-23, lonelyuan, huachenheli, DarkLight1337, russellb, and sidhpurwala-huzaifa
LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities High
CVE-2025-61784 was published for llamafactory (pip) Oct 7, 2025
d3do-23 kexinoh
lonelyuan
Credited to d3do-23, kexinoh, and lonelyuan
vLLM is vulnerable to timing attack at bearer auth High
CVE-2025-59425 was published for vllm (pip) Oct 7, 2025
NiuBlibing russellb
Credited to NiuBlibing and russellb
Litestar X-Forwarded-For Header Spoofing Vulnerability Enables Rate Limit Evasion High
CVE-2025-59152 was published for litestar (pip) Oct 6, 2025
crum7 takumi-san-ai
Credited to crum7 and takumi-san-ai
LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing High
CVE-2025-6985 was published for langchain-text-splitters (pip) Oct 6, 2025
chaliy
Credited to chaliy
Django vulnerable to SQL injection in column aliases High
CVE-2025-59681 was published for django (pip) Oct 1, 2025
llama-index-core insecurely handles temporary files High
CVE-2025-7647 was published for llama-index-core (pip) Sep 27, 2025
Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass) High
CVE-2025-59420 was published for authlib (pip) Sep 22, 2025
AL-Cybision
Credited to AL-Cybision
The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded. High
CVE-2025-9905 was published for keras (pip) Sep 19, 2025
io-no
Credited to io-no
Duplicate Advisory: The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded. High
GHSA-77wq-646f-jrm2 was published for keras (pip) Sep 19, 2025 withdrawn
Keras is vulnerable to Deserialization of Untrusted Data High
CVE-2025-9906 was published for keras (pip) Sep 19, 2025
cai0duque
Credited to cai0duque
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database