Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

74 advisories

Loading
FastMCP OAuth Proxy token reuse across MCP servers High
CVE-2025-69196 was published for fastmcp (pip) Mar 16, 2026
an7y Credited to an7y
PyJWT accepts unknown `crit` header extensions High
CVE-2026-32597 was published for PyJWT (pip) Mar 13, 2026
dmbs335 Credited to dmbs335
Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access Low
CVE-2026-32108 was published for copyparty (pip) Mar 12, 2026
thesanjok Credited to thesanjok
Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections High
CVE-2026-23984 was published for apache-superset (pip) Feb 24, 2026
Apache Superset Improper Authorization allows low-privileged users to bypass access controls High
CVE-2026-23982 was published for apache-superset (pip) Feb 24, 2026
AutoGPT is Vulnerable to RCE via Disabled Block Execution High
CVE-2026-24780 was published for agpt (pip) Jan 29, 2026
rahulgovind Credited to rahulgovind
trytond does not enforce access rights for data export Moderate
CVE-2025-66424 was published for trytond (pip) Nov 30, 2025
trytond does not enforce access rights for the route of the HTML editor. High
CVE-2025-66423 was published for trytond (pip) Nov 30, 2025
OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization. High
CVE-2025-65073 was published for keystone (pip) Nov 17, 2025
Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass) High
CVE-2025-59420 was published for authlib (pip) Sep 22, 2025
AL-Cybision Credited to AL-Cybision
Apache Superset Allows Ownership Takeover Moderate
CVE-2025-27696 was published for apache-superset (pip) May 13, 2025
Open WebUI Allows Admin Deletion via API Endpoint High
CVE-2024-7039 was published for open-webui (pip) Mar 20, 2025
Letta (previously MemGPT) incorrect access control vulnerability High
CVE-2024-39025 was published for letta (pip) Dec 27, 2024
Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access High
CVE-2024-55633 was published for apache-superset (pip) Dec 12, 2024
Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled High
CVE-2024-53949 was published for apache-superset (pip) Dec 9, 2024
ansible-core Incorrect Authorization vulnerability Moderate
CVE-2024-9902 was published for ansible-core (pip) Nov 6, 2024
OpenCanary Executes Commands From Potentially Writable Config File Moderate
CVE-2024-48911 was published for OpenCanary (pip) Oct 14, 2024
rootkiTED Credited to rootkiTED, DavidBakerEffendi, and andreimid DavidBakerEffendi DavidBakerEffendi
andreimid andreimid
Red-DiscordBot vulnerable to Incorrect Authorization in commands API Moderate
CVE-2024-39905 was published for Red-DiscordBot (pip) Jul 11, 2024
Flame442 Credited to Flame442
Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0 High
CVE-2024-37300 was published for oauthenticator (pip) Jun 12, 2024
minrk Credited to minrk, yuvipanda, and manics yuvipanda yuvipanda
manics manics
Apache Submarine Server Core Incorrect Authorization vulnerability Critical
CVE-2024-36265 was published for apache-submarine (Maven) Jun 12, 2024
Apache Superset Incorrect Authorization vulnerability Moderate
CVE-2024-28148 was published for apache-superset (pip) May 7, 2024
vantage6's CORS settings overly permissive Moderate
CVE-2024-23823 was published for vantage6 (pip) Mar 15, 2024
Apache Superset: Improper data authorization when creating a new dataset Moderate
CVE-2024-24779 was published for apache-superset (pip) Feb 28, 2024
oscerd Credited to oscerd
Apache Superset: Improper authorization validation on dashboards and charts import Moderate
CVE-2024-26016 was published for apache-superset (pip) Feb 28, 2024
oscerd Credited to oscerd
Apache Superset: Improper validation of SQL statements allows for unauthorized access to data Moderate
CVE-2024-24773 was published for apache-superset (pip) Feb 28, 2024
oscerd Credited to oscerd
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database