GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
4,291 advisories
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
Critical
CVE-2025-65108
was published
for
md-to-pdf
(npm)
Nov 20, 2025
@hpke/core reuses AEAD nonces
Critical
CVE-2025-64767
was published
for
@hpke/core
(npm)
Nov 20, 2025
Astro Cloudflare adapter has Stored Cross Site Scripting vulnerability in /_image endpoint
Moderate
CVE-2025-65019
was published
for
astro
(npm)
Nov 19, 2025
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
Moderate
CVE-2025-64765
was published
for
astro
(npm)
Nov 19, 2025
Astro vulnerable to reflected XSS via the server islands feature
High
CVE-2025-64764
was published
for
astro
(npm)
Nov 19, 2025
Astro Development Server has Arbitrary Local File Read
Low
CVE-2025-64757
was published
for
astro
(npm)
Nov 19, 2025
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
High
GHSA-v5w9-prxf-w882
was published
for
flowise
(npm)
Nov 17, 2025
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
Moderate
CVE-2025-64758
was published
for
@dependencytrack/frontend
(npm)
Nov 17, 2025
glob CLI: Command injection via -c/--cmd executes matches with shell:true
High
CVE-2025-64756
was published
for
glob
(npm)
Nov 17, 2025
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
High
GHSA-m8jr-fxqx-8xx6
was published
for
@apollo/composition
(npm)
Nov 14, 2025
Directus is Vulnerable to Stored Cross-site Scripting
Moderate
CVE-2025-64747
was published
for
directus
(npm)
Nov 14, 2025
Directus has Improper Permission Handling on Deleted Fields
Moderate
CVE-2025-64746
was published
for
directus
(npm)
Nov 14, 2025
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change
High
GHSA-fjh6-8679-9pch
was published
for
flowise-ui
(npm)
Nov 14, 2025
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)
High
GHSA-x39m-3393-3qp4
was published
for
flowise-ui
(npm)
Nov 14, 2025
Flowise Fails to Invalidate Existing Sessions After Password Changes
High
GHSA-x7rp-qj2h-ghgw
was published
for
flowise
(npm)
Nov 14, 2025
js-yaml has prototype pollution in merge (<<)
Moderate
CVE-2025-64718
was published
for
js-yaml
(npm)
Nov 14, 2025
Directus Vulnerable to Information Leakage in Existing Collections
Moderate
CVE-2025-64749
was published
for
@directus/api
(npm)
Nov 13, 2025
Directus's conceal fields are searchable if read permissions enabled
Moderate
CVE-2025-64748
was published
for
@directus/api
(npm)
Nov 13, 2025
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
Moderate
CVE-2025-64525
was published
for
astro
(npm)
Nov 13, 2025
Astro development server error page vulnerable to reflected Cross-site Scripting
Low
CVE-2025-64745
was published
for
astro
(npm)
Nov 13, 2025
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
High
CVE-2025-59840
was published
for
vega
(npm)
Nov 13, 2025
ProTip!
Advisories are also available from the
GraphQL API