Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,726
Maven
5,000+
npm
4,331
NuGet
763
pip
4,107
Pub
12
RubyGems
960
Rust
1,068
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,107 advisories

Loading
NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content Moderate
CVE-2025-66470 was published for nicegui (pip) Dec 8, 2025
twmoon evnchn
falkoschindler
Credited to twmoon, evnchn, and falkoschindler
NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection Moderate
CVE-2025-66469 was published for nicegui (pip) Dec 8, 2025
twmoon evnchn
falkoschindler
Credited to twmoon, evnchn, and falkoschindler
urllib3 streaming API improperly handles highly compressed data High
CVE-2025-66471 was published for urllib3 (pip) Dec 5, 2025
illia-v pquentin
sethmlarson Cycloctane stamparm
Credited to illia-v, pquentin, sethmlarson, Cycloctane, and stamparm
urllib3 allows an unbounded number of links in the decompression chain High
CVE-2025-66418 was published for urllib3 (pip) Dec 5, 2025
illia-v sethmlarson
pquentin
Credited to illia-v, sethmlarson, and pquentin
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web High
CVE-2025-65958 was published for open-webui (pip) Dec 4, 2025
teolines
Credited to teolines
ComposioHQ has a directory traversal vulnerability Moderate
CVE-2025-56427 was published for composio (pip) Dec 4, 2025
open-webui is Vulnerable to Incorrect Access Control Low
CVE-2025-63681 was published for open-webui (pip) Dec 4, 2025
Ansible Community General Collection is vulnerable to exposure of sensitive information Moderate
CVE-2025-14010 was published for ansible (pip) Dec 4, 2025
reanguiano
Credited to reanguiano
assyncmy is vulnerable to SQL injection via crafted dict keys Critical
CVE-2025-65896 was published for asyncmy (pip) Dec 2, 2025
Django is vulnerable to DoS via XML serializer text extraction Moderate
CVE-2025-64460 was published for Django (pip) Dec 2, 2025
Django is vulnerable to SQL injection in column aliases Moderate
CVE-2025-13372 was published for Django (pip) Dec 2, 2025
arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints Moderate
CVE-2025-66454 was published for arcade-mcp-server (pip) Dec 2, 2025
qi-scape
Credited to qi-scape
vLLM vulnerable to remote code execution via transformers_utils/get_config High
CVE-2025-66448 was published for vllm (pip) Dec 2, 2025
Vancir Isotr0py
DarkLight1337 russellb
Credited to Vancir, Isotr0py, DarkLight1337, and russellb
Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default High
CVE-2025-66416 was published for mcp (pip) Dec 2, 2025
Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation Low
CVE-2025-65858 was published for calibreweb (pip) Dec 2, 2025
Keras Directory Traversal Vulnerability High
CVE-2025-12060 was published for keras (pip) Dec 2, 2025
ready-research
Credited to ready-research
Werkzeug safe_join() allows Windows special device names Moderate
CVE-2025-66221 was published for werkzeug (pip) Dec 2, 2025
Oblivionsage
Credited to Oblivionsage
Spotipy has a XSS vulnerability in its OAuth callback server Low
CVE-2025-66040 was published for spotipy (pip) Dec 1, 2025
yueyueL
Credited to yueyueL
fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib Moderate
CVE-2025-66034 was published for fonttools (pip) Dec 1, 2025
ntandiono vk-can
Credited to ntandiono and vk-can
trytond allows remote attackers to obtain sensitive trace-back (server setup) information Moderate
CVE-2025-66422 was published for trytond (pip) Nov 30, 2025
trytond does not enforce access rights for the route of the HTML editor. High
CVE-2025-66423 was published for trytond (pip) Nov 30, 2025
trytond does not enforce access rights for data export Moderate
CVE-2025-66424 was published for trytond (pip) Nov 30, 2025
Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack High
CVE-2025-12638 was published for Keras (pip) Nov 28, 2025 withdrawn
Peppol-py is vulnerable to XXE attacks due to Saxon configuration Moderate
CVE-2025-66371 was published for peppol_py (pip) Nov 28, 2025
Ray's New Token Authentication is Disabled By Default Critical
CVE-2025-34351 was published for ray (pip) Nov 27, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database