Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,655
Maven
5,000+
npm
4,284
NuGet
760
pip
4,067
Pub
12
RubyGems
957
Rust
1,057
Swift
45
Unreviewed advisories
All unreviewed
5,000+

8,583 advisories

Loading
KubeVirt Vulnerable to Arbitrary Host File Read and Write High
CVE-2025-64324 was published for kubevirt.io/kubevirt (Go) Nov 7, 2025
mihailkirov Faeris95
jean-edouard
Credited to mihailkirov, Faeris95, and jean-edouard
Session is cached for OpenID and OAuth2 if `redirect` is not used High
CVE-2024-45596 was published for @directus/api (npm) Sep 10, 2024
joselcvarela
Credited to joselcvarela
OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization. High
CVE-2025-65073 was published for keystone (pip) Nov 17, 2025
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register) High
GHSA-v5w9-prxf-w882 was published for flowise (npm) Nov 17, 2025
ReeFSpeK ERANV-EVA
Credited to ReeFSpeK and ERANV-EVA
glob CLI: Command injection via -c/--cmd executes matches with shell:true High
CVE-2025-64756 was published for glob (npm) Nov 17, 2025
Gyde04 aisle-research
Credited to Gyde04 and aisle-research
phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality High
CVE-2025-62519 was published for phpmyfaq/phpmyfaq (Composer) Nov 17, 2025
XY20130630
Credited to XY20130630
expr-eval vulnerable to Prototype Pollution High
CVE-2025-13204 was published for expr-eval (npm) Nov 14, 2025
Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
CVE-2025-64501 was published for prosemirror_to_html (RubyGems) Nov 6, 2025
polypixeldev Luke-Oldenburg
Spone 9021007
Credited to polypixeldev, Luke-Oldenburg, Spone, and 9021007
Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict High
GHSA-jj37-3377-m6vv was published for nodemailer (npm) Nov 14, 2025 withdrawn
Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation High
CVE-2025-6176 was published for Scrapy (pip) Oct 31, 2025
smithcoin Cycloctane
Credited to smithcoin and Cycloctane
Microsoft Security Advisory CVE-2024-38081 | .NET Elevation of Privilege Vulnerability High
CVE-2024-38081 was published for Microsoft.IO.Redist (NuGet) Jul 9, 2024
expr-eval does not restrict functions passed to the evaluate function High
CVE-2025-12735 was published for expr-eval (npm) Nov 5, 2025
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass High
CVE-2025-64500 was published for symfony/http-foundation (Composer) Nov 12, 2025
cs278 nicolas-grekas
Credited to cs278 and nicolas-grekas
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed High
CVE-2025-64099 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Nov 12, 2025
Jean-Eudes
Credited to Jean-Eudes
Malicious URL drafting attack against iodines static file server may allow path traversal High
CVE-2024-22050 was published for iodine (RubyGems) Oct 7, 2019
Ignite Realtime Openfire privilege escalation vulnerability High
CVE-2024-25420 was published for org.igniterealtime.openfire:xmppserver (Maven) Mar 26, 2024
CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection High
CVE-2025-64518 was published for org.cyclonedx:cyclonedx-core-java (Maven) Nov 10, 2025
nscuro BrightKn1ght
Credited to nscuro and BrightKn1ght
Liferay Portal Vulnerable to CSRF in Headless APIs High
CVE-2025-62258 was published for com.liferay.portal:release.portal.bom (Maven) Oct 28, 2025
Liferay Portal Vulnerable to DoS via Crafted Headless API Request High
CVE-2025-62260 was published for com.liferay.portal:release.portal.bom (Maven) Oct 28, 2025
Apache Tomcat Vulnerable to Relative Path Traversal High
CVE-2025-55752 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Oct 27, 2025
aruneko
Credited to aruneko
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc High
GHSA-f83h-ghpp-7wcc was published for pdfminer.six (pip) Nov 7, 2025
sumanrox
Credited to sumanrox
youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects High
CVE-2025-62596 was published for youki (Rust) Nov 5, 2025
saku3 cyphar
Credited to saku3 and cyphar
youki container escape via "masked path" abuse due to mount race conditions High
CVE-2025-62161 was published for youki (Rust) Nov 5, 2025
MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling High
CVE-2025-47776 was published for mantisbt/mantisbt (Composer) Nov 3, 2025
dregad piru
Credited to dregad and piru
Arbitrary Code Execution in pdfminer.six via Crafted PDF Input High
CVE-2025-64512 was published for pdfminer.six (pip) Nov 7, 2025
mtolley
Credited to mtolley
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database