GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
155 advisories
check-branches is vulnerable to command Injection
Critical
CVE-2025-11148
was published
for
check-branches
(npm)
Sep 30, 2025
Command Injection in adb-mcp MCP Server
Critical
CVE-2025-59834
was published
for
adb-mcp
(npm)
Sep 24, 2025
interactive-git-checkout has a Command Injection vulnerability
Critical
CVE-2025-59046
was published
for
interactive-git-checkout
(npm)
Sep 10, 2025
@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API
Critical
CVE-2025-54994
was published
for
@akoskm/create-mcp-server-stdio
(npm)
Sep 8, 2025
CodeceptJS's incomprehensive sanitation can lead to Command Injection
Critical
CVE-2025-57285
was published
for
codeceptjs
(npm)
Sep 8, 2025
screenshot-desktop vulnerable to command Injection via `format` option
Critical
CVE-2025-55294
was published
for
screenshot-desktop
(npm)
Aug 19, 2025
Active Storage allowed transformation methods that were potentially unsafe
Critical
CVE-2025-24293
was published
for
activestorage
(RubyGems)
Aug 14, 2025
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
Critical
CVE-2025-54782
was published
for
@nestjs/devtools-integration
(npm)
Aug 1, 2025
tj-actions/branch-names has a Command Injection Vulnerability
Critical
CVE-2025-54416
was published
for
tj-actions/branch-names
(GitHub Actions)
Jul 25, 2025
goshs route not protected, allows command execution
Critical
CVE-2025-46816
was published
for
github.com/patrickhener/goshs
(Go)
May 6, 2025
YoutubeDLSharp allows command injection on windows system due to non sanitized arguments
Critical
CVE-2025-43858
was published
for
YoutubeDLSharp
(NuGet)
Apr 23, 2025
SurrealDB server-takeover via SurrealQL injection on backup import
Critical
GHSA-ccj3-5p93-8p42
was published
for
surrealdb
(Rust)
Apr 11, 2025
Withdrawn Advisory: Dask Vulnerable to Command Injection
Critical
CVE-2024-10096
was published
for
dask
(pip)
Mar 20, 2025
•
withdrawn
Grafana Command Injection And Local File Inclusion Via Sql Expressions
Critical
CVE-2024-9264
was published
for
github.com/grafana/grafana
(Go)
Oct 18, 2024
Command Injection in sequenceserver
Critical
CVE-2024-42360
was published
for
sequenceserver
(RubyGems)
Aug 13, 2024
ConsoleMe has an Arbitrary File Read Vulnerability via Limited Git command
Critical
CVE-2024-5023
was published
for
consoleme
(pip)
May 16, 2024
ProTip!
Advisories are also available from the
GraphQL API