Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,714
Erlang
34
GitHub Actions
28
Go
2,300
Maven
5,000+
npm
3,942
NuGet
708
pip
3,711
Pub
12
RubyGems
920
Rust
960
Swift
38
Unreviewed advisories
All unreviewed
5,000+

478 advisories

Loading
Langroid has a Code Injection vulnerability in TableChatAgent Critical
CVE-2025-46724 was published for langroid (pip) May 20, 2025
SCH227
vLLM Allows Remote Code Execution via PyNcclPipe Communication Service Critical
CVE-2025-47277 was published for vllm (pip) May 20, 2025
kikayli russellb
omjeki
InvokeAI Deserialization of Untrusted Data vulnerability Critical
CVE-2024-12029 was published for InvokeAI (pip) Mar 21, 2025
zly123987
Directory traversal in zenml Critical
CVE-2024-2083 was published for zenml (pip) Apr 16, 2024
Django-Unicorn Class Pollution Vulnerability, Leading to XSS, DoS and Authentication Bypass Critical
CVE-2025-24370 was published for django-unicorn (pip) Feb 3, 2025
superboy-zjc jackfromeast
Browser Use allows bypassing `allowed_domains` by putting a decoy domain in http auth username portion of a URL Critical
CVE-2025-47241 was published for browser-use (pip) May 5, 2025
mmudryi markiyanch
Duplicate Advisory: `allowed_domains` can be bypassed by putting a decoy domain in http auth username portion of a URL Critical
GHSA-f54f-hr32-586f was published for browser-use (pip) May 3, 2025 withdrawn
Qiskit allows arbitrary code execution decoding QPY format versions < 13 Critical
CVE-2025-2000 was published for qiskit (pip) Mar 14, 2025
vLLM Vulnerable to Remote Code Execution via Mooncake Integration Critical
CVE-2025-32444 was published for vllm (pip) Apr 29, 2025
kexinoh ShangmingCai
russellb
vLLM allows Remote Code Execution by Pickle Deserialization via AsyncEngineRPCServer() RPC server entrypoints Critical
CVE-2024-9053 was published for vllm (pip) Mar 20, 2025
h11 accepts some malformed Chunked-Encoding bodies Critical
CVE-2025-43859 was published for h11 (pip) Apr 24, 2025
JeppW
BentoML's runner server Vulnerable to Remote Code Execution (RCE) via Insecure Deserialization Critical
CVE-2025-32375 was published for bentoml (pip) Apr 9, 2025
SeaW1nd
CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0 Critical
GHSA-ggpf-24jw-3fcw was published for vllm (pip) Apr 23, 2025
azraelxuemo russellb
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution Critical
CVE-2025-32434 was published for torch (pip) Apr 18, 2025
azraelxuemo
Duplicate Advisory: D-Tale Command Injection vulnerability Critical
CVE-2025-0655 was published for dtale (pip) Mar 20, 2025 withdrawn
TigerVNC accessible via the network and not just via a UNIX socket as intended Critical
CVE-2025-32428 was published for jupyter-remote-desktop-proxy (pip) Apr 12, 2025
frejanordsiek consideRatio
minrk
OpenStack Neutron allows remote attackers to bypass an intended ICMPv6-spoofing protection mechanism Critical
CVE-2015-8914 was published for neutron (pip) May 14, 2022
Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint Critical
CVE-2025-3248 was published for langflow (pip) Apr 7, 2025
MLflow Path Traversal vulnerability Critical
CVE-2023-3765 was published for mlflow (pip) Jul 19, 2023
LNbits Lightning Network Payment System Vulnerable to Server-Side Request Forgery via LNURL Authentication Callback Critical
CVE-2025-32013 was published for lnbits (pip) Apr 7, 2025
xbow-security
PlotAI eval vulnerability Critical
CVE-2025-1497 was published for plotai (pip) Mar 10, 2025
vLLM deserialization vulnerability in vllm.distributed.GroupCoordinator.recv_object Critical
CVE-2024-9052 was published for vllm (pip) Mar 20, 2025
russellb
Roundup xml-rpc server improper check of property permissions Critical
CVE-2008-1475 was published for roundup (pip) May 1, 2022
anonymous4ACL24
Remote code execution in mlflow Critical
CVE-2024-0520 was published for mlflow (pip) Jun 6, 2024
mlflow vulnerable to Path Traversal Critical
CVE-2024-3573 was published for mlflow (pip) Apr 16, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database