Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,958
Erlang
29
GitHub Actions
16
Go
1,745
Maven
4,971
npm
3,507
NuGet
609
pip
3,066
Pub
10
RubyGems
832
Rust
780
Swift
34
Unreviewed advisories
All unreviewed
5,000+

3,066 advisories

PyMySQL SQL Injection vulnerability Critical
CVE-2024-36039 was published for pymysql (pip) May 21, 2024
Gradio applications running locally vulnerable to 3rd party websites accessing routes and uploading files Moderate
CVE-2024-1727 was published for gradio (pip) May 21, 2024
OMERO.web must check that the JSONP callback is a valid function Moderate
CVE-2024-35180 was published for omero-web (pip) May 21, 2024
Requests `Session` object does not verify requests after making first request with verify=False Moderate
CVE-2024-35195 was published for requests (pip) May 20, 2024
mikeassel sigmavirus24
nateprewitt
aiosmtpd STARTTLS unencrypted commands injection Moderate
CVE-2024-34083 was published for aiosmtpd (pip) May 20, 2024
Arusekk
Duplicate Advisory: Scrapy leaks the authorization header on same-domain but cross-origin redirects High
GHSA-cg34-w3fm-82h3 was published for scrapy (pip) May 20, 2024 withdrawn
litellm passes untrusted data to `eval` function without sanitization High
CVE-2024-4264 was published for litellm (pip) May 18, 2024
ConsoleMe has an Arbitrary File Read Vulnerability via Limited Git command Critical
CVE-2024-5023 was published for consoleme (pip) May 16, 2024
jaydhulia scottpacknetflix
patricksanders
Withdrawn Advisory: Weights and Biases (wandb) has a Server-Side Request Forgery (SSRF) vulnerability High
CVE-2024-4642 was published for wandb (pip) May 16, 2024 withdrawn
MLflow has a Local File Read/Path Traversal bypass High
CVE-2024-3848 was published for mlflow (pip) May 16, 2024
RunGptLLM class in LlamaIndex has a command injection High
CVE-2024-4181 was published for llama-index (pip) May 16, 2024
MLflow allows low privilege users to delete any artifact Moderate
CVE-2024-4263 was published for mlflow (pip) May 16, 2024
Scrapy allows redirect following in protocols other than HTTP Moderate
GHSA-23j4-mw76-5v7h was published for Scrapy (pip) May 14, 2024
Scrapy's redirects ignoring scheme-specific proxy settings Moderate
GHSA-jm3v-qxmh-hxwv was published for Scrapy (pip) May 14, 2024
Scrapy leaks the authorization header on same-domain but cross-origin redirects Moderate
CVE-2024-1968 was published for Scrapy (pip) May 14, 2024
Szarny
OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled High
CVE-2024-32977 was published for OctoPrint (pip) May 14, 2024
jacopotediosi
Apache Airflow: XSS vulnerability in Task Instance Log/Log Details Moderate
CVE-2024-32077 was published for apache-airflow (pip) May 14, 2024
Nautobot's BANNER_* configuration can be used to inject arbitrary HTML content into Nautobot pages High
CVE-2024-34707 was published for nautobot (pip) May 13, 2024
michaelpanorios
llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata Critical
CVE-2024-34359 was published for llama-cpp-python (pip) May 13, 2024
retr0reg
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service Critical
CVE-2024-32874 was published for frigate (pip) May 9, 2024
Sim4n6
Apache Superset Incorrect Authorization vulnerability Moderate
CVE-2024-28148 was published for apache-superset (pip) May 7, 2024
Arbitrary HTML present after sanitization because of unicode normalization High
CVE-2024-34078 was published for html-sanitizer (pip) May 6, 2024
yzueger
Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain High
CVE-2024-34069 was published for Werkzeug (pip) May 6, 2024
Ry0taK
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter Moderate
CVE-2024-34064 was published for Jinja2 (pip) May 6, 2024
Ry0taK
Litestar and Starlite vulnerable to Path Traversal High
CVE-2024-32982 was published for litestar (pip) May 6, 2024
brian-edgar-re
ProTip! Advisories are also available from the GraphQL API