Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,812
Maven
5,000+
npm
4,426
NuGet
773
pip
4,203
Pub
12
RubyGems
968
Rust
1,086
Swift
47
Unreviewed advisories
All unreviewed
5,000+

257 advisories

Loading
MindsDB has improper sanitation of filepath that leads to information disclosure and DOS High
CVE-2025-68472 was published for MindsDB (pip) Jan 12, 2026
locus-x64
Credited to locus-x64
picklescan has Arbitrary file read using `io.FileIO` High
GHSA-9726-w42j-3qjr was published for picklescan (pip) Jan 8, 2026
shivasurya
Credited to shivasurya
MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download Moderate
CVE-2026-21851 was published for monai (pip) Jan 6, 2026
yueyueL
Credited to yueyueL
AIOHTTP vulnerable to brute-force leak of internal static file path components Low
CVE-2025-69226 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma
Credited to ThomasRinsma
Home Assistant Core before is vulnerable to Directory Traversal Moderate
CVE-2025-65713 was published for homeassistant (pip) Dec 23, 2025
Weblate is vulnerable to RCE through Git config file overwrite Critical
CVE-2025-68398 was published for Weblate (pip) Dec 18, 2025
secjson nijel
Credited to secjson and nijel
Weblate has an arbitrary file read via symbolic links High
CVE-2025-68279 was published for Weblate (pip) Dec 18, 2025
secjson nijel
Credited to secjson and nijel
mcp-server-git has missing path validation when using --repository flag Moderate
CVE-2025-68145 was published for mcp-server-git (pip) Dec 17, 2025
mcp-server-git's unrestricted git_init tool allows repository creation at arbitrary filesystem locations Moderate
CVE-2025-68143 was published for mcp-server-git (pip) Dec 17, 2025
Pyrofork has a Path Traversal in download_media Method Moderate
CVE-2025-67720 was published for pyrofork (pip) Dec 10, 2025
yueyueL
Credited to yueyueL
NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read High
CVE-2025-66645 was published for nicegui (pip) Dec 9, 2025
y4rvin evnchn
falkoschindler
Credited to y4rvin, evnchn, and falkoschindler
ComposioHQ has a directory traversal vulnerability Moderate
CVE-2025-56427 was published for composio (pip) Dec 4, 2025
Keras Directory Traversal Vulnerability High
CVE-2025-12060 was published for keras (pip) Dec 2, 2025
ready-research
Credited to ready-research
Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack High
CVE-2025-12638 was published for Keras (pip) Nov 28, 2025 withdrawn
AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64 Moderate
CVE-2025-57697 was published for AstrBot (pip) Nov 7, 2025
AstrBot contains a directory traversal vulnerability High
CVE-2025-57698 was published for AstrBot (pip) Nov 7, 2025
Dosage vulnerable to a Directory Traversal through crafted HTTP responses High
CVE-2025-64184 was published for dosage (pip) Nov 4, 2025
TobiX
Credited to TobiX
Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack High
GHSA-28jp-44vh-q42h was published for keras (pip) Oct 30, 2025 withdrawn
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability High
CVE-2025-11201 was published for mlflow (pip) Oct 29, 2025
mueslo
Credited to mueslo
Mammoth is vulnerable to Directory Traversal Moderate
CVE-2025-11849 was published for Mammoth (Maven) Oct 17, 2025
BBOT's insufficient sanitization issues in gitdumper.py can lead to RCE Critical
CVE-2025-10283 was published for bbot (pip) Oct 9, 2025
justinsteven
Credited to justinsteven
BBOT's various issues in unarchive.py can cause arbitrary file write and RCE Critical
CVE-2025-10284 was published for bbot (pip) Oct 9, 2025
justinsteven liquidsec
TheTechromancer
Credited to justinsteven, liquidsec, and TheTechromancer
LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities High
CVE-2025-61784 was published for llamafactory (pip) Oct 7, 2025
d3do-23 kexinoh
lonelyuan
Credited to d3do-23, kexinoh, and lonelyuan
clearml is vulnerable to Path Traversal through its `safe_extract` function Moderate
CVE-2025-8917 was published for clearml (pip) Oct 5, 2025
ZenML is vulnerable to Path Traversal through its `PathMaterializer` class Moderate
CVE-2025-8406 was published for zenml (pip) Oct 5, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database