Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

15 advisories

Loading
HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through High
CVE-2024-52595 was published for lxml-html-clean (pip) Nov 19, 2024
JorianWoltjer Credited to JorianWoltjer and frenzymadness frenzymadness frenzymadness
Picklescan Vulnerable to Exfiltration via DNS via linecache and ssl.get_server_certificate High
CVE-2025-46417 was published for picklescan (pip) Apr 7, 2025
david3107 Credited to david3107
Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list High
CVE-2025-67747 was published for fickling (pip) Dec 15, 2025
0x00nier Credited to 0x00nier and ajohnston9 ajohnston9 ajohnston9
Fickling has Code Injection vulnerability via pty.spawn() High
CVE-2025-67748 was published for fickling (pip) Dec 15, 2025
ajohnston9 Credited to ajohnston9 and 0x00nier 0x00nier 0x00nier
Picklescan does not block ctypes High
CVE-2025-71323 was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
Picklescan has Incomplete List of Disallowed Inputs High
CVE-2025-71320 was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
Fickling has a bypass via runpy.run_path() and runpy.run_module() High
CVE-2026-22606 was published for fickling (pip) Jan 9, 2026
beneaththecode Credited to beneaththecode
Fickling Blocklist Bypass: cProfile.run() High
CVE-2026-22607 was published for fickling (pip) Jan 9, 2026
beneaththecode Credited to beneaththecode
Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection High
CVE-2026-22608 was published for fickling (pip) Jan 9, 2026
0x-Apollyon Credited to 0x-Apollyon
Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist High
CVE-2026-22609 was published for fickling (pip) Jan 9, 2026
mldangelo Credited to mldangelo
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER High
CVE-2026-53875 was published for picklescan (pip) Feb 18, 2026
zpbrent Credited to zpbrent
Fickling missing RCE-capable modules in UNSAFE_IMPORTS High
GHSA-5hwf-rc88-82xm was published for fickling (pip) Mar 4, 2026
yash2998chhabria Credited to yash2998chhabria
SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality High
GHSA-5r2p-pjr8-7fh7 was published for sagemaker (pip) Mar 5, 2026
daridor9 Credited to daridor9
PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution High
CVE-2026-33139 was published for pyspector (pip) Mar 18, 2026
Shinigami81 Credited to Shinigami81
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes High
CVE-2026-49825 was published for lxml_html_clean (pip) Jul 8, 2026
glefait Credited to glefait, frenzymadness, and scoder frenzymadness frenzymadness
scoder scoder
ProTip! Advisories are also available from the GraphQL API