Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,737
Maven
5,000+
npm
4,337
NuGet
764
pip
4,112
Pub
12
RubyGems
960
Rust
1,068
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,338 advisories

Loading
Flowise Fails to Invalidate Existing Sessions After Password Changes High
GHSA-x7rp-qj2h-ghgw was published for flowise (npm) Nov 14, 2025
mbiesiad
Credited to mbiesiad
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields High
CVE-2025-64530 was published for @apollo/composition (npm) Nov 14, 2025
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable High
CVE-2025-59840 was published for vega (npm) Nov 13, 2025
nickcopi hydrosquall
domoritz jeramysoucy lsh kachkaev
Credited to nickcopi, hydrosquall, domoritz, jeramysoucy, lsh, and kachkaev
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass Moderate
CVE-2025-64525 was published for astro (npm) Nov 13, 2025
cold-try delucis
Credited to cold-try and delucis
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance High
GHSA-8wj8-cfxr-9374 was published for aws-advanced-nodejs-wrapper (npm) Nov 13, 2025
@react-native-community/cli has arbitrary OS command injection Critical
CVE-2025-11953 was published for @react-native-community/cli (npm) Nov 3, 2025
Malayke cylewaitforit
liamjones conorfitch
Credited to Malayke, cylewaitforit, liamjones, and conorfitch
EverShop is vulnerable to Unauthorized Order Information Access (IDOR) Low
CVE-2025-12919 was published for @evershop/evershop (npm) Nov 9, 2025
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details Moderate
CVE-2025-64502 was published for parse-server (npm) Nov 13, 2025
mtrezza coratgerl
mstniy
Credited to mtrezza, coratgerl, and mstniy
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand High
CVE-2025-12613 was published for cloudinary (npm) Nov 10, 2025
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format High
CVE-2025-64430 was published for parse-server (npm) Nov 5, 2025
jacksonkasi1 mtrezza
Credited to jacksonkasi1 and mtrezza
Nuxt DevTools vulnerable to cross-site scripting (XSS) Moderate
CVE-2025-52662 was published for @nuxt/devtools (npm) Nov 7, 2025
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool High
GHSA-j44m-5v8f-gc9c was published for flowise (npm) Oct 10, 2025
XlabAITeam
Credited to XlabAITeam
min-document vulnerable to prototype pollution Low
CVE-2025-57352 was published for min-document (npm) Sep 24, 2025
G-Rath
Credited to G-Rath
Volto affected by possible DoS by invoking specific URL by anonymous user High
CVE-2025-58047 was published for @plone/volto (npm) Aug 28, 2025
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) High
CVE-2022-37599 was published for loader-utils (npm) Oct 12, 2022
jeran-urban G-Rath
Credited to jeran-urban and G-Rath
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect Low
CVE-2024-30261 was published for undici (npm) Apr 4, 2024
Uzlopak
Credited to Uzlopak
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline Low
CVE-2024-30260 was published for undici (npm) Apr 4, 2024
llhttp vulnerable to HTTP request smuggling High
CVE-2023-30589 was published for llhttp (npm) Jul 1, 2023
XSS in the `of` option of the `.position()` util in jquery-ui Moderate
CVE-2021-41184 was published for jQuery.UI.Combined (RubyGems) Oct 26, 2021
esbena A-Fitz-Nelnet
Credited to esbena and A-Fitz-Nelnet
Predictable results in nanoid generation when given non-integer values Moderate
CVE-2024-55565 was published for nanoid (npm) Dec 9, 2024
krassowski katzj
CrzyHAX91
Credited to krassowski, katzj, and CrzyHAX91
matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal Moderate
CVE-2024-50336 was published for matrix-js-sdk (npm) Nov 12, 2024
Elliptic allows BER-encoded signatures Low
CVE-2024-42461 was published for elliptic (npm) Aug 2, 2024
BlazingWizard
Credited to BlazingWizard
Elliptic's ECDSA missing check for whether leading bit of r and s is zero Low
CVE-2024-42460 was published for elliptic (npm) Aug 2, 2024
BlazingWizard
Credited to BlazingWizard
Elliptic's EDDSA missing signature length check Low
CVE-2024-42459 was published for elliptic (npm) Aug 2, 2024
BlazingWizard
Credited to BlazingWizard
Follow Redirects improperly handles URLs in the url.parse() function Moderate
CVE-2023-26159 was published for follow-redirects (npm) Jan 2, 2024
iainsproat
Credited to iainsproat
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database