Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
975
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

5,329 advisories

Loading
Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS High
CVE-2026-54283 was published for starlette (pip) Jun 15, 2026
EthanKim88 Credited to EthanKim88, Z-Bra0, Moaaz-0x, moizxsec, aest3ra, and oxqnd Z-Bra0 Z-Bra0
Moaaz-0x Moaaz-0x moizxsec moizxsec aest3ra aest3ra oxqnd oxqnd
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname Low
CVE-2026-54282 was published for Starlette (pip) Jun 15, 2026
nic-lovin Credited to nic-lovin
Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse Moderate
GHSA-pw6j-qg29-8w7f was published for tornado (pip) Jun 15, 2026
python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service High
CVE-2026-53539 was published for python-multipart (pip) Jun 15, 2026
maxisbey Credited to maxisbey
python-multipart: Negative Content-Length in parse_form buffers the entire body in memory Low
CVE-2026-53540 was published for python-multipart (pip) Jun 15, 2026
lullu57 Credited to lullu57 and seok-hee97 seok-hee97 seok-hee97
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling Low
CVE-2026-53538 was published for python-multipart (pip) Jun 15, 2026
maxisbey Credited to maxisbey
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters Low
CVE-2026-53537 was published for python-multipart (pip) Jun 15, 2026
0xkakash1 Credited to 0xkakash1 and sammiee5311 sammiee5311 sammiee5311
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient High
CVE-2026-49853 was published for tornado (pip) Jun 15, 2026
noobone123 Credited to noobone123, SnailSploit, 0xHunSec, and sondt99 SnailSploit SnailSploit
0xHunSec 0xHunSec sondt99 sondt99
tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb) High
CVE-2026-49855 was published for tornado (pip) Jun 15, 2026
yuui25 Credited to yuui25
Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows High
CVE-2026-48818 was published for starlette (pip) Jun 15, 2026
nvn1729 Credited to nvn1729
Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr` Moderate
CVE-2026-48817 was published for starlette (pip) Jun 15, 2026
Vulnerable OpenSSL included in cryptography wheels High
GHSA-537c-gmf6-5ccf was published for cryptography (pip) Jun 15, 2026
aiohttp: Incomplete websocket frame payloads bypass memory limits Moderate
CVE-2026-54274 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and Dreamsorcerer Dreamsorcerer Dreamsorcerer
aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections Low
CVE-2026-54275 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect Low
CVE-2026-54280 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: HTTP/1 Pipelined Requests Queue Without Limit Moderate
CVE-2026-54273 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup Moderate
CVE-2026-54278 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: C HTTP Parser Bypasses max_line_size for Fragmented Lines Moderate
CVE-2026-54277 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges Moderate
CVE-2026-54276 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence Low
CVE-2026-54279 was published for aiohttp (pip) Jun 15, 2026
denyspakizh-tob Credited to denyspakizh-tob and bdraco bdraco bdraco
aiohttp: CRLF injection in multipart headers Low
CVE-2026-50269 was published for aiohttp (pip) Jun 15, 2026
tonghuaroot Credited to tonghuaroot and Dreamsorcerer Dreamsorcerer Dreamsorcerer
PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS Moderate
CVE-2026-48525 was published for pyjwt (pip) Jun 15, 2026
thesmartshadow Credited to thesmartshadow
PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes Moderate
CVE-2026-48522 was published for PyJWT (pip) Jun 15, 2026
KEIJOT Credited to KEIJOT
PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed High
CVE-2026-48526 was published for pyjwt (pip) Jun 15, 2026
aradona91 Credited to aradona91
PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys Moderate
CVE-2026-48523 was published for pyjwt (pip) Jun 15, 2026
sushi-gif Credited to sushi-gif
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database