Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,662
Maven
5,000+
npm
4,289
NuGet
760
pip
4,069
Pub
12
RubyGems
957
Rust
1,057
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,702 advisories

Loading
PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users Low
CVE-2025-64711 was published for privatebin/privatebin (Composer) Nov 14, 2025
esnard rugk
Ribas160
Credited to esnard, rugk, and Ribas160
PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal Moderate
CVE-2025-64714 was published for privatebin/privatebin (Composer) Nov 14, 2025
esnard elrido
rugk
Credited to esnard, elrido, and rugk
expr-eval vulnerable to Prototype Pollution High
CVE-2025-13204 was published for expr-eval (npm) Nov 14, 2025
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields High
CVE-2025-64530 was published for @apollo/composition (npm) Nov 14, 2025
js-yaml has prototype pollution in merge (<<) Moderate
CVE-2025-64718 was published for js-yaml (npm) Nov 14, 2025
Zephkek mhassan1
opal-visibuild alexstrive jlp-craigmorten turi4200
Credited to Zephkek, mhassan1, opal-visibuild, alexstrive, jlp-craigmorten, and turi4200
Mattermost allows system administrators to access password hashes and MFA secrets Moderate
CVE-2025-11794 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
Mattermost fails to properly restrict access to archived channel search API Moderate
CVE-2025-11776 was published for github.com/mattermost/mattermost (Go) Nov 14, 2025
Mattermost allows regular users to access archived channel content and files Low
CVE-2025-41436 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
Mattermost does not enforce MFA on WebSocket connections Moderate
CVE-2025-55070 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL Moderate
CVE-2025-55073 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
Directus Vulnerable to Information Leakage in Existing Collections Moderate
CVE-2025-64749 was published for @directus/api (npm) Nov 13, 2025
sbstn-k kmzs
Credited to sbstn-k and kmzs
Directus's conceal fields are searchable if read permissions enabled Moderate
CVE-2025-64748 was published for @directus/api (npm) Nov 13, 2025
bryantgillespie
Credited to bryantgillespie
LXD vulnerable to a local privilege escalation through custom storage volumes High
GHSA-3g2j-vm47-x4mj was published for github.com/canonical/lxd (Go) Nov 13, 2025
abdodz1234 stgraber
Credited to abdodz1234 and stgraber
ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
GHSA-4249-gjr8-jpq3 was published for prosemirror_to_html (RubyGems) Nov 13, 2025
SpiceDB WriteRelationships fails silently if payload is too big Low
CVE-2025-64529 was published for github.com/authzed/spicedb (Go) Nov 13, 2025
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass Moderate
CVE-2025-64525 was published for astro (npm) Nov 13, 2025
cold-try delucis
Credited to cold-try and delucis
Astro development server error page vulnerable to reflected Cross-site Scripting Low
CVE-2025-64745 was published for astro (npm) Nov 13, 2025
pHo9UBenaA delucis
florian-lefebvre
Credited to pHo9UBenaA, delucis, and florian-lefebvre
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency Critical
GHSA-6jqf-mv7m-3q7p was published for github.com/filebrowser/filebrowser/v2 (Go) Nov 13, 2025
Francesco-Bellomi hacdias
Credited to Francesco-Bellomi and hacdias
File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function High
CVE-2025-64523 was published for github.com/filebrowser/filebrowser (Go) Nov 13, 2025
bbodisteanu-hacken hacdias
Credited to bbodisteanu-hacken and hacdias
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable High
CVE-2025-59840 was published for vega (npm) Nov 13, 2025
nickcopi hydrosquall
domoritz jeramysoucy lsh kachkaev
Credited to nickcopi, hydrosquall, domoritz, jeramysoucy, lsh, and kachkaev
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance High
GHSA-8wj8-cfxr-9374 was published for aws-advanced-nodejs-wrapper (npm) Nov 13, 2025
AWS Advanced Go Wrapper: Privilege Escalation in Aurora PostgreSQL Instance High
GHSA-7wq2-32h4-9hc9 was published for github.com/aws/aws-advanced-go-wrapper/awssql (Go) Nov 13, 2025
Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance High
GHSA-7xw4-g7mm-r4hh was published for software.amazon.jdbc:aws-advanced-jdbc-wrapper (Maven) Nov 13, 2025
AWS Advanced Python Wrapper: Privilege Escalation in Aurora PostgreSQL instance High
CVE-2025-12967 was published for aws_advanced_python_wrapper (pip) Nov 13, 2025
Keycloak allows Binding to an Unrestricted IP Address Moderate
CVE-2025-11538 was published for org.keycloak:keycloak-quarkus-server (Maven) Nov 13, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database