Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,722
Maven
5,000+
npm
4,329
NuGet
762
pip
4,105
Pub
12
RubyGems
958
Rust
1,065
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,042 advisories

Loading
Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2 Critical
CVE-2025-32965 was published for xrpl (npm) Apr 22, 2025
Prototype pollution in 101 Critical
CVE-2021-25943 was published for 101 (npm) May 17, 2021
Nuclide Improper Input Validation Critical
CVE-2018-6333 was published for nuclide (npm) May 13, 2022
Passport-wsfed-saml2 allows SAML Authentication Bypass via Signature Wrapping Critical
CVE-2025-46572 was published for passport-wsfed-saml2 (npm) May 6, 2025
samlify SAML Signature Wrapping attack Critical
CVE-2025-47949 was published for samlify (npm) May 19, 2025
ahacker1-securesaml
Credited to ahacker1-securesaml
Taylored webhook validation vulnerabilities Critical
GHSA-8g98-m4j9-qww5 was published for taylored (npm) Jun 18, 2025
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos Critical
CVE-2025-6545 was published for pbkdf2 (npm) Jun 23, 2025
ChALkeR ljharb
Credited to ChALkeR and ljharb
pbkdf2 silently disregards Uint8Array input, returning static keys Critical
CVE-2025-6547 was published for pbkdf2 (npm) Jun 23, 2025
ChALkeR ljharb
Credited to ChALkeR and ljharb
mcp-remote exposed to OS command injection via untrusted MCP server connections Critical
CVE-2025-6514 was published for mcp-remote (npm) Jul 9, 2025
MCP Inspector proxy server lacks authentication between the Inspector client and proxy Critical
CVE-2025-49596 was published for @modelcontextprotocol/inspector (npm) Jun 13, 2025
JLLeitschuh
Credited to JLLeitschuh
Qwik's unhandled exception vulnerabilty can cause server crashes from malicious requests Critical
CVE-2025-53620 was published for @builder.io/qwik-city (npm) Jul 9, 2025
finalgamer
Credited to finalgamer
docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token Critical
CVE-2025-53624 was published for docusaurus-plugin-content-gists (npm) Jul 9, 2025
webbertakken
Credited to webbertakken
NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access Critical
CVE-2025-54127 was published for @haxtheweb/haxcms-nodejs (npm) Jul 21, 2025
asareynolds
Credited to asareynolds
Node-SAML SAML Authentication Bypass Critical
CVE-2025-54369 was published for @node-saml/node-saml (npm) Jul 25, 2025
ahacker1-securesaml cjbarth
Credited to ahacker1-securesaml and cjbarth
billboard.js allows prototype pollution via the function generate Critical
CVE-2025-49223 was published for billboard.js (npm) Jun 4, 2025
saip-loginsoft
Credited to saip-loginsoft
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers Critical
CVE-2025-54782 was published for @nestjs/devtools-integration (npm) Aug 1, 2025
JLLeitschuh
Credited to JLLeitschuh
Node-SAML SAML Signature Verification Vulnerability Critical
CVE-2025-54419 was published for @node-saml/node-saml (npm) Jul 28, 2025
ahacker1-securesaml cjbarth
Credited to ahacker1-securesaml and cjbarth
Prototype Pollution in lodash Critical
CVE-2019-10744 was published for lodash (RubyGems) Jul 10, 2019
G-Rath
Credited to G-Rath
Flowise OS command remote code execution Critical
CVE-2025-8943 was published for flowise (npm) Aug 14, 2025
screenshot-desktop vulnerable to command Injection via `format` option Critical
CVE-2025-55294 was published for screenshot-desktop (npm) Aug 19, 2025
RichardoC bencevans
Credited to RichardoC and bencevans
Directus allows unauthenticated file upload and file modification due to lacking input sanitization Critical
CVE-2025-55746 was published for @directus/api (npm) Aug 20, 2025
r4bbit-r4
Credited to r4bbit-r4
utils-extend Prototype Pollution Critical
CVE-2024-57077 was published for utils-extend (npm) Feb 6, 2025
dsimk
Credited to dsimk
Improper Neutralization of Special Elements used in a Command in Shell-quote Critical
CVE-2021-42740 was published for shell-quote (npm) May 24, 2022
MyTrueWallet kurt-r2c
jwilk levpachmanov
Credited to MyTrueWallet, kurt-r2c, jwilk, and levpachmanov
@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API Critical
CVE-2025-54994 was published for @akoskm/create-mcp-server-stdio (npm) Sep 8, 2025
lirantal
Credited to lirantal
interactive-git-checkout has a Command Injection vulnerability Critical
CVE-2025-59046 was published for interactive-git-checkout (npm) Sep 10, 2025
lirantal
Credited to lirantal
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database