Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

33 advisories

Loading
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes High
CVE-2026-49825 was published for lxml_html_clean (pip) Jul 8, 2026
glefait Credited to glefait, frenzymadness, and scoder frenzymadness frenzymadness
scoder scoder
Duplicate Advisory: PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
GHSA-4mpj-78p6-rj59 was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: Picklescan has Incomplete List of Disallowed Inputs Critical
GHSA-6v84-v468-3c7f was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: Picklescan does not block ctypes Critical
GHSA-7f79-rvx6-vxc4 was published for picklescan (pip) Jun 17, 2026 withdrawn
Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output Low
GHSA-8rfp-98v4-mmr6 was published for bleach (pip) Jun 16, 2026
q1uf3ng Credited to q1uf3ng
fg0x0 Credited to fg0x0
PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution High
CVE-2026-33139 was published for pyspector (pip) Mar 18, 2026
Shinigami81 Credited to Shinigami81
fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE` Moderate
GHSA-5cxw-w2xg-2m8h was published for fickling (pip) Mar 13, 2026
mldangelo Credited to mldangelo
fickling modules linecache, difflib and gc are missing from the unsafe modules blocklist Moderate
GHSA-r48f-3986-4f9c was published for fickling (pip) Mar 13, 2026
fg0x0 Credited to fg0x0
SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality High
GHSA-5r2p-pjr8-7fh7 was published for sagemaker (pip) Mar 5, 2026
daridor9 Credited to daridor9
Fickling missing RCE-capable modules in UNSAFE_IMPORTS High
GHSA-5hwf-rc88-82xm was published for fickling (pip) Mar 4, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan has multiple stdlib modules with direct RCE not in blocklist Critical
GHSA-g38g-8gr9-h9xp was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
CVE-2026-53873 was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
Fickling has safety check bypass via REDUCE+BUILD opcode sequence Moderate
GHSA-mhc9-48gj-9gp3 was published for fickling (pip) Feb 25, 2026
yash2998chhabria Credited to yash2998chhabria
Fickling has a detection bypass via stdlib network-protocol constructors Low
GHSA-83pf-v6qq-pwmr was published for fickling (pip) Feb 20, 2026
NucleiAv Credited to NucleiAv
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER High
CVE-2026-53875 was published for picklescan (pip) Feb 18, 2026
zpbrent Credited to zpbrent
Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist High
CVE-2026-22609 was published for fickling (pip) Jan 9, 2026
mldangelo Credited to mldangelo
Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection High
CVE-2026-22608 was published for fickling (pip) Jan 9, 2026
0x-Apollyon Credited to 0x-Apollyon
Fickling Blocklist Bypass: cProfile.run() High
CVE-2026-22607 was published for fickling (pip) Jan 9, 2026
beneaththecode Credited to beneaththecode
Fickling has a bypass via runpy.run_path() and runpy.run_module() High
CVE-2026-22606 was published for fickling (pip) Jan 9, 2026
beneaththecode Credited to beneaththecode
libsodium has Incomplete List of Disallowed Inputs Moderate
CVE-2025-69277 was published for PyNaCl (Composer) Dec 31, 2025
Picklescan has Incomplete List of Disallowed Inputs High
CVE-2025-71320 was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
Picklescan does not block ctypes High
CVE-2025-71323 was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
Fickling has Code Injection vulnerability via pty.spawn() High
CVE-2025-67748 was published for fickling (pip) Dec 15, 2025
ajohnston9 Credited to ajohnston9 and 0x00nier 0x00nier 0x00nier
ProTip! Advisories are also available from the GraphQL API