GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
4,228 advisories
Werkzeug safe_join() allows Windows special device names with compound extensions
Moderate
CVE-2026-21860
was published
for
Werkzeug
(pip)
Jan 8, 2026
loggingredactor converts non-string types to string types in logs
Low
CVE-2026-22041
was published
for
loggingredactor
(pip)
Jan 7, 2026
Parsl Monitoring Visualization Vulnerable to SQL Injection
Moderate
CVE-2026-21892
was published
for
parsl
(pip)
Jan 6, 2026
NiceGUI has Redis connection leak via tab storage causes service degradation
Moderate
CVE-2026-21874
was published
for
nicegui
(pip)
Jan 8, 2026
NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS
High
CVE-2026-21873
was published
for
nicegui
(pip)
Jan 8, 2026
Bokeh server applications have Incomplete Origin Validation in WebSockets
Moderate
CVE-2026-21883
was published
for
bokeh
(pip)
Jan 6, 2026
NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links
Moderate
CVE-2026-21872
was published
for
nicegui
(pip)
Jan 8, 2026
MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download
Moderate
CVE-2026-21851
was published
for
monai
(pip)
Jan 6, 2026
NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()
Moderate
CVE-2026-21871
was published
for
nicegui
(pip)
Jan 8, 2026
picklescan has Arbitrary file read using `io.FileIO`
High
GHSA-9726-w42j-3qjr
was published
for
picklescan
(pip)
Jan 8, 2026
AIOHTTP vulnerable to denial of service through large payloads
Moderate
CVE-2025-69228
was published
for
aiohttp
(pip)
Jan 5, 2026
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc
High
GHSA-f83h-ghpp-7wcc
was published
for
pdfminer.six
(pip)
Nov 7, 2025
CBORDecoder reuse can leak shareable values across decode calls
Moderate
CVE-2025-68131
was published
for
cbor2
(pip)
Dec 31, 2025
badkeys vulnerable to ASCII control character injection on console via malformed input
Low
CVE-2026-21439
was published
for
badkeys
(pip)
Jan 5, 2026
AIOHTTP Vulnerable to Cookie Parser Warning Storm
Low
CVE-2025-69230
was published
for
aiohttp
(pip)
Jan 5, 2026
AIOHTTP vulnerable to DoS through chunked messages
Moderate
CVE-2025-69229
was published
for
aiohttp
(pip)
Jan 5, 2026
AIOHTTP vulnerable to DoS when bypassing asserts
Moderate
CVE-2025-69227
was published
for
aiohttp
(pip)
Jan 5, 2026
AIOHTTP vulnerable to brute-force leak of internal static file path components
Low
CVE-2025-69226
was published
for
aiohttp
(pip)
Jan 5, 2026
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
Low
CVE-2025-69225
was published
for
aiohttp
(pip)
Jan 5, 2026
AIOHTTP's unicode processing of header values could cause parsing discrepancies
Low
CVE-2025-69224
was published
for
aiohttp
(pip)
Jan 5, 2026
ProTip!
Advisories are also available from the
GraphQL API