Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,766
Erlang
35
GitHub Actions
29
Go
2,332
Maven
5,000+
npm
3,965
NuGet
713
pip
3,748
Pub
12
RubyGems
921
Rust
975
Swift
38
Unreviewed advisories
All unreviewed
5,000+

3,748 advisories

Loading
vLLM allows Remote Code Execution by Pickle Deserialization via AsyncEngineRPCServer() RPC server entrypoints Critical
CVE-2024-9053 was published for vllm (pip) Mar 20, 2025
phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service Moderate
CVE-2025-46560 was published for vllm (pip) Apr 29, 2025
kexinoh d3do-23
lonelyuan russellb DarkLight1337 Isotr0py
Jinja2 vulnerable to sandbox breakout through attr filter selecting format method Moderate
CVE-2025-27516 was published for Jinja2 (pip) Mar 5, 2025
securingapps
Flair allows arbitrary code execution Moderate
CVE-2024-10073 was published for flair (pip) Oct 17, 2024
m3t3kh4n wnowicki
LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py Moderate
CVE-2025-46567 was published for llamafactory (pip) Apr 23, 2025
Anchor0221 xhjy2020
diplib Double Free Moderate
CVE-2021-39432 was published for diplib (pip) Nov 4, 2022
Qiskit allows arbitrary code execution decoding QPY format versions < 13 Critical
CVE-2025-2000 was published for qiskit (pip) Mar 14, 2025
Duplicate Advisory: `allowed_domains` can be bypassed by putting a decoy domain in http auth username portion of a URL Critical
GHSA-f54f-hr32-586f was published for browser-use (pip) May 3, 2025 withdrawn
Browser Use allows bypassing `allowed_domains` by putting a decoy domain in http auth username portion of a URL Critical
CVE-2025-47241 was published for browser-use (pip) May 5, 2025
mmudryi markiyanch
Data exposure via ZeroMQ on multi-node vLLM deployment High
CVE-2025-30202 was published for vllm (pip) Apr 29, 2025
russellb kexinoh
Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload Moderate
CVE-2025-46335 was published for mobsf (pip) May 5, 2025
ssshah2131
Langroid Allows XXE Injection via XMLToolMessage High
CVE-2025-46726 was published for langroid (pip) May 5, 2025
SCH227
Mobile Security Framework (MobSF) Allows Web Server Resource Exhaustion via ZIP of Death Attack Moderate
CVE-2025-46730 was published for mobsf (pip) May 5, 2025
ssshah2131
Apache Airflow: DAG Code and Import Error Permissions Ignored Moderate
CVE-2024-27906 was published for apache-airflow (pip) Feb 29, 2024
oscerd sunSUNQ
Mezzanine CMS Cross-Site Scripting (XSS) vulnerability Moderate
CVE-2025-29573 was published for Mezzanine (pip) May 5, 2025
Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration High
CVE-2025-30165 was published for vllm (pip) May 6, 2025
avioligo russellb
OpenStack Kolla sudo privilege escalation vulnerability High
CVE-2022-38060 was published for kolla (pip) Dec 21, 2022
Django-Unicorn Class Pollution Vulnerability, Leading to XSS, DoS and Authentication Bypass Critical
CVE-2025-24370 was published for django-unicorn (pip) Feb 3, 2025
superboy-zjc jackfromeast
Django has a denial-of-service possibility in strip_tags() Moderate
CVE-2025-32873 was published for Django (pip) May 8, 2025
OpenStack Ironic fails to restrict paths used for file:// image URLs Low
CVE-2025-44021 was published for ironic (pip) May 8, 2025
AWorld OS Command Injection vulnerability Low
CVE-2025-4032 was published for aworld (pip) Apr 28, 2025
LlamaIndex Vulnerable to Denial of Service (DoS) High
CVE-2025-1752 was published for llama-index (pip) May 10, 2025
Directory traversal in zenml Critical
CVE-2024-2083 was published for zenml (pip) Apr 16, 2024
Apache Superset Allows Ownership Takeover Moderate
CVE-2025-27696 was published for apache-superset (pip) May 13, 2025
Flask uses fallback key instead of current signing key Low
CVE-2025-47278 was published for flask (pip) May 13, 2025
jayaddison Brax94
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database