GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
4,114 advisories
pgadmin4 has a Meta-Command Filter Command Execution Critical
CVE-2025-13780 was published for pgadmin4 (pip) Dec 11, 2025
Pyrofork has a Path Traversal in download_media Method Moderate
CVE-2025-67720 was published for pyrofork (pip) Dec 10, 2025
LangGraph's SQLite is vulnerable to SQL injection via metadata filter key in SQLite checkpointer list method High
CVE-2025-67644 was published for langgraph-checkpoint-sqlite (pip) Dec 10, 2025
Cybersecurity AI (CAI) vulnerable to Command Injection in run_ssh_command_with_credentials Agent tool Critical
CVE-2025-67511 was published for cai-framework (pip) Dec 9, 2025
HTTP/HTTPS Traffic Interception Bypass in mad-proxy Moderate
CVE-2025-67485 was published for mad-proxy (pip) Dec 9, 2025
Open Redirect Vulnerability in Taguette Moderate
CVE-2025-67502 was published for taguette (pip) Dec 9, 2025
NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read High
CVE-2025-66645 was published for nicegui (pip) Dec 9, 2025
NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content Moderate
CVE-2025-66470 was published for nicegui (pip) Dec 8, 2025
NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection Moderate
CVE-2025-66469 was published for nicegui (pip) Dec 8, 2025
urllib3 streaming API improperly handles highly compressed data High
CVE-2025-66471 was published for urllib3 (pip) Dec 5, 2025
urllib3 allows an unbounded number of links in the decompression chain High
CVE-2025-66418 was published for urllib3 (pip) Dec 5, 2025
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web High
CVE-2025-65958 was published for open-webui (pip) Dec 4, 2025
Ansible Community General Collection is vulnerable to exposure of sensitive information Moderate
CVE-2025-14010 was published for ansible (pip) Dec 4, 2025
arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints Moderate
CVE-2025-66454 was published for arcade-mcp-server (pip) Dec 2, 2025
vLLM vulnerable to remote code execution via transformers_utils/get_config High
CVE-2025-66448 was published for vllm (pip) Dec 2, 2025
Keras Directory Traversal Vulnerability High
CVE-2025-12060 was published for keras (pip) Dec 2, 2025
Werkzeug safe_join() allows Windows special device names Moderate
CVE-2025-66221 was published for werkzeug (pip) Dec 2, 2025
Spotipy has a XSS vulnerability in its OAuth callback server Low
CVE-2025-66040 was published for spotipy (pip) Dec 1, 2025
ProTip! Advisories are also available from the GraphQL API