Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,680
Maven
5,000+
npm
4,308
NuGet
760
pip
4,081
Pub
12
RubyGems
958
Rust
1,061
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,309 advisories

Loading
Flowise Stored XSS vulnerability through logs in chatbot Moderate
CVE-2025-29192 was published for flowise (npm) Oct 3, 2025
LIFE-team2024
Credited to LIFE-team2024
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel Critical
CVE-2025-50538 was published for flowise (npm) Oct 3, 2025
mikensec
Credited to mikensec
Flowise vulnerable to XSS Moderate
GHSA-4fr9-3x69-36wv was published for flowise (npm) Oct 3, 2025
quitbug
Credited to quitbug
Claude Code permission deny bypass through symlink Low
CVE-2025-59829 was published for @anthropic-ai/claude-code (npm) Oct 3, 2025
Claude Code can execute commands prior to the startup trust dialog High
CVE-2025-59536 was published for @anthropic-ai/claude-code (npm) Oct 3, 2025
Fiora chat group avatar is vulnerable to XSS via SVG files Low
CVE-2025-56515 was published for fiora (npm) Oct 1, 2025
Fiora chat user avatar is vulnerable to XSS via SVG files Low
CVE-2025-56514 was published for fiora (npm) Oct 1, 2025
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user High
CVE-2025-61668 was published for @plone/volto (npm) Oct 1, 2025
validator.js has a URL validation bypass vulnerability in its isURL function Moderate
CVE-2025-56200 was published for validator (npm) Sep 30, 2025
G-Rath Moumouls
aleyipsoftwire
Credited to G-Rath, Moumouls, and aleyipsoftwire
Finance.js vulnerable to DoS via the IRR function’s depth parameter High
CVE-2025-56571 was published for financejs (npm) Sep 30, 2025
Finance.js vulnerable to DoS via the seekZero() parameter High
CVE-2025-56572 was published for financejs (npm) Sep 30, 2025
figma-developer-mcp vulnerable to command injection in get_figma_data tool High
CVE-2025-53967 was published for figma-developer-mcp (npm) Sep 30, 2025
dellalibera
Credited to dellalibera
check-branches is vulnerable to command Injection Critical
CVE-2025-11148 was published for check-branches (npm) Sep 30, 2025
lirantal
Credited to lirantal
@nubosoftware/node-static failure to catch exception can result in server crash High
CVE-2025-11149 was published for @nubosoftware/node-static (npm) Sep 30, 2025
lirantal
Credited to lirantal
algoliasearch-helper is vulnerable to Prototype Pollution in _merge() Moderate
CVE-2025-3193 was published for algoliasearch-helper (npm) Sep 27, 2025
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass High
CVE-2025-59845 was published for @apollo/explorer (npm) Sep 26, 2025
ekzyis 0x9x-ui
Credited to ekzyis and 0x9x-ui
express-xss-sanitizer has an unbounded recursion depth Moderate
CVE-2025-59364 was published for express-xss-sanitizer (npm) Sep 26, 2025
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass Critical
CVE-2025-59936 was published for get-jwks (npm) Sep 26, 2025
epureionut99
Credited to epureionut99
cors-anywhere vulnerable to server-side request forgery Critical
CVE-2020-36851 was published for cors-anywhere (npm) Sep 25, 2025
apidoc-core is vulnerable to prototype pollution High
CVE-2025-57317 was published for apidoc-core (npm) Sep 25, 2025
dref is vulnerable to prototype pollution High
CVE-2025-26278 was published for dref (npm) Sep 25, 2025
Duplicate Advisory: Malicious versions of Nx were published Critical
GHSA-8mjq-32x3-22qf was published for nx (npm) Sep 25, 2025 withdrawn
lobe-chat has an Open Redirect Moderate
CVE-2025-59426 was published for @lobehub/chat (npm) Sep 24, 2025
im-soohyun
Credited to im-soohyun
Withdrawn Advisory: fast-redact vulnerable to prototype pollution Low
CVE-2025-57319 was published for fast-redact (npm) Sep 24, 2025 withdrawn
mcollina
Credited to mcollina
spmrc vulnerable to prototype pollution Low
CVE-2025-57327 was published for spmrc (npm) Sep 24, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database