Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,867
Maven
5,000+
npm
4,488
NuGet
780
pip
4,244
Pub
12
RubyGems
975
Rust
1,096
Swift
49
Unreviewed advisories
All unreviewed
5,000+

74 advisories

Loading
vLLM affected by RCE via auto_map dynamic module loading during model initialization High
CVE-2026-22807 was published for vllm (pip) Jan 21, 2026
zaddy6 arthurgervais
DarkLight1337 russellb
Credited to zaddy6, arthurgervais, DarkLight1337, and russellb
Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.attrgetter High
GHSA-46h3-79wf-xr6c was published for picklescan (pip) Dec 30, 2025
CoolwindHF
Credited to CoolwindHF
Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.methodcaller High
GHSA-955r-x9j8-7rhh was published for picklescan (pip) Dec 30, 2025
CoolwindHF
Credited to CoolwindHF
Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef High
GHSA-rrxm-2pvv-m66x was published for picklescan (pip) Dec 30, 2025
ac0d3r Lyutoon
Credited to ac0d3r and Lyutoon
Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran.myeval High
GHSA-3329-ghmp-jmv5 was published for picklescan (pip) Dec 29, 2025
CoolwindHF
Credited to CoolwindHF
Picklescan is vulnerable to RCE through missing detection when calling built-in python operator.methodcaller High
GHSA-x843-g5mx-g377 was published for picklescan (pip) Dec 29, 2025
CoolwindHF
Credited to CoolwindHF
Fickling has Code Injection vulnerability via pty.spawn() High
CVE-2025-67748 was published for fickling (pip) Dec 15, 2025
ajohnston9 0x00nier
Credited to ajohnston9 and 0x00nier
vLLM vulnerable to remote code execution via transformers_utils/get_config High
CVE-2025-66448 was published for vllm (pip) Dec 2, 2025
Vancir Isotr0py
DarkLight1337 russellb
Credited to Vancir, Isotr0py, DarkLight1337, and russellb
pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters High
CVE-2025-61773 was published for pyload-ng (pip) Oct 9, 2025
odaysec
Credited to odaysec
PyInstaller has local privilege escalation vulnerability High
CVE-2025-59042 was published for pyinstaller (pip) Sep 10, 2025
zhangyoufu
Credited to zhangyoufu
LLaMA-Factory allows Code Injection through improper vhead_file safeguards High
CVE-2025-53002 was published for llamafactory (pip) Jun 27, 2025
LianKee
Credited to LianKee
Langroid has a Code Injection vulnerability in LanceDocChatAgent through vector_store High
CVE-2025-46725 was published for langroid (pip) May 20, 2025
SCH227
Credited to SCH227
Pycel allows code injection via a crafted formula High
CVE-2024-53924 was published for pycel (pip) Apr 17, 2025
LoLLMS Code Injection vulnerability High
CVE-2024-6982 was published for lollms (pip) Mar 20, 2025
LiteLLM Vulnerable to Remote Code Execution (RCE) High
CVE-2024-6825 was published for litellm (pip) Mar 20, 2025
Kedro allows Remote Code Execution by Pulling Micro Packages High
CVE-2024-12215 was published for kedro (pip) Mar 20, 2025
H2O Vulnerable to Denial of Service (DoS) and File Write High
CVE-2024-10572 was published for ai.h2o:h2o-ext-xgboost (Maven) Mar 20, 2025
Arbitrary Code Execution via Crafted Keras Config for Model Loading High
CVE-2025-1550 was published for keras (pip) Mar 11, 2025
io-no
Credited to io-no
Duplicate Advisory: Keras arbitrary code execution vulnerability High
GHSA-5478-v2w6-c6q7 was published for keras (pip) Mar 11, 2025 withdrawn
Spacy-LLM Server-Side Template Injection (SSTI) vulnerability High
CVE-2025-25362 was published for spacy-llm (pip) Mar 5, 2025
pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution High
CVE-2024-56327 was published for pyrage (pip) Dec 19, 2024
gaby woodruffw
Credited to gaby and woodruffw
TorchGeo Remote Code Execution Vulnerability High
CVE-2024-49048 was published for torchgeo (pip) Nov 12, 2024
AgentScope uses `eval` High
CVE-2024-48050 was published for agentscope (pip) Nov 5, 2024
sqlitedict insecure deserialization vulnerability High
CVE-2024-35515 was published for sqlitedict (pip) Sep 18, 2024
MindsDB Eval Injection vulnerability High
CVE-2024-45851 was published for mindsdb (pip) Sep 12, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database