Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

15 advisories

Loading
next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys Moderate
GHSA-4c35-wcg5-mm9h was published for next-intl (npm) May 6, 2026
offset Credited to offset
Flowise: Parameter Override Bypass Remote Command Execution High
CVE-2026-41268 was published for flowise (npm) Apr 16, 2026
retpoline Credited to retpoline
vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing Moderate
CVE-2026-34755 was published for vllm (pip) Apr 3, 2026
SEORY0 Credited to SEORY0, russellb, jperezdealgaba, DarkLight1337, and Isotr0py russellb russellb
jperezdealgaba jperezdealgaba DarkLight1337 DarkLight1337 Isotr0py Isotr0py
vLLM has RCE In Video Processing Critical
CVE-2026-22778 was published for vllm (pip) Feb 2, 2026
dan-sec-ops Credited to dan-sec-ops, DarkLight1337, and russellb DarkLight1337 DarkLight1337
russellb russellb
lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load() High
CVE-2025-67729 was published for lmdeploy (pip) Dec 26, 2025
yueyueL Credited to yueyueL
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web High
CVE-2025-65958 was published for open-webui (pip) Dec 4, 2025
teolines Credited to teolines
vLLM vulnerable to remote code execution via transformers_utils/get_config High
CVE-2025-66448 was published for vllm (pip) Dec 2, 2025
Vancir Credited to Vancir, Isotr0py, DarkLight1337, and russellb Isotr0py Isotr0py
DarkLight1337 DarkLight1337 russellb russellb
MONAI: Unsafe torch usage may lead to arbitrary code execution High
CVE-2025-58756 was published for monai (pip) Sep 9, 2025
h3rrr Credited to h3rrr
parse-duration has a Regex Denial of Service that results in event loop delay and out of memory High
CVE-2025-25283 was published for parse-duration (npm) Feb 12, 2025
lirantal Credited to lirantal
@saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plugins using git source High
GHSA-fm76-w8jw-xf8m was published for @saltcorn/plugins-loader (npm) Oct 3, 2024
dellalibera Credited to dellalibera
Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass High
CVE-2024-28116 was published for getgrav/grav (Composer) Mar 22, 2024
akabe1 Credited to akabe1
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable High
CVE-2022-37603 was published for loader-utils (npm) Oct 14, 2022
jeran-urban Credited to jeran-urban
Prototype pollution in webpack loader-utils Critical
CVE-2022-37601 was published for loader-utils (npm) Oct 13, 2022
westonsteimel Credited to westonsteimel and kennylindley kennylindley kennylindley
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) High
CVE-2022-37599 was published for loader-utils (npm) Oct 12, 2022
jeran-urban Credited to jeran-urban and G-Rath G-Rath G-Rath
UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES not respected by frontend service backend Low
GHSA-47qg-q58v-7vrp was published for amundsen-frontend (pip) Dec 2, 2020
dorianj Credited to dorianj
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database