Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,662
Maven
5,000+
npm
4,289
NuGet
760
pip
4,069
Pub
12
RubyGems
957
Rust
1,057
Swift
45
Unreviewed advisories
All unreviewed
5,000+

35 advisories

Loading
Directus has Improper Permission Handling on Deleted Fields Moderate
CVE-2025-64746 was published for directus (npm) Nov 14, 2025
beafn28
Credited to beafn28
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields High
CVE-2025-64530 was published for @apollo/composition (npm) Nov 14, 2025
Kottster app reinitialization can be re-triggered allowing command injection in development mode High
CVE-2025-62713 was published for @kottster/server (npm) Oct 23, 2025
P0cas
Credited to P0cas
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration Moderate
CVE-2025-53092 was published for @strapi/core (npm) Oct 16, 2025
ghostvirus62 derrickmehaffy
alexandrebodin innerdvations
Credited to ghostvirus62, derrickmehaffy, alexandrebodin, and innerdvations
@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode High
CVE-2025-59333 was published for @executeautomation/database-server (npm) Sep 16, 2025
lirantal
Credited to lirantal
Vite middleware may serve files starting with the same name with the public directory Low
CVE-2025-58751 was published for vite (npm) Sep 9, 2025
orihjfrog lukeed
Credited to orihjfrog and lukeed
Vite's `server.fs` settings were not applied to HTML files Low
CVE-2025-58752 was published for vite (npm) Sep 9, 2025
orihjfrog dominikg
Credited to orihjfrog and dominikg
Withdrawn Advisory: JHipster allows privilege escalation via a modified authorities parameter Low
CVE-2025-43712 was published for generator-jhipster (npm) Jul 25, 2025 withdrawn
Erxes Incorrect Access Control vulnerability High
CVE-2024-57190 was published for erxes (npm) Jun 10, 2025
Vite allows server.fs.deny to be bypassed with .svg or relative paths Moderate
CVE-2025-31486 was published for vite (npm) Apr 4, 2025
HSwift Iuhsssss
kikayli sw0rd1ight do9gy-msec Onetpaer
Credited to HSwift, Iuhsssss, kikayli, sw0rd1ight, do9gy-msec, and Onetpaer
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query Moderate
CVE-2025-31125 was published for vite (npm) Mar 31, 2025
Iuhsssss
Credited to Iuhsssss
Vite bypasses server.fs.deny when using ?raw?? Moderate
CVE-2025-30208 was published for vite (npm) Mar 25, 2025
Ezzer17
Credited to Ezzer17
Directus vulnerable to SSRF Loopback IP filter bypass Moderate
CVE-2024-46990 was published for @directus/api (npm) Sep 18, 2024
r3dpower
Credited to r3dpower
Vite's `server.fs.deny` is bypassed when using `?import&raw` Moderate
CVE-2024-45811 was published for vite (npm) Sep 17, 2024
adi1
Credited to adi1
Mattermost Desktop App fails to safeguard screen capture functionality Moderate
CVE-2024-39772 was published for mattermost-desktop (npm) Sep 16, 2024
Withdrawn Advisory: Lunary improper access control vulnerability High
CVE-2024-6087 was published for lunary (npm) Sep 13, 2024 withdrawn
hughcrt
Credited to hughcrt
Ghost's improper authentication allows access to member information and actions Moderate
CVE-2024-43409 was published for @tryghost/portal (npm) Aug 20, 2024
1337Nerd
Credited to 1337Nerd
Directus incorrectly handles `_in` filter High
CVE-2024-39701 was published for directus (npm) Jul 8, 2024
adelinn
Credited to adelinn
rejetto HFS vulnerable to OS Command Execution by remote authenticated users High
CVE-2024-39943 was published for hfs (npm) Jul 5, 2024
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect Low
CVE-2024-30261 was published for undici (npm) Apr 4, 2024
Uzlopak
Credited to Uzlopak
Vite's `server.fs.deny` did not deny requests for patterns with directories. Moderate
CVE-2024-31207 was published for vite (npm) Apr 3, 2024
jtmcdole
Credited to jtmcdole
@lobehub/chat vulnerable to unauthorized access to plugins Moderate
CVE-2024-24566 was published for @lobehub/chat (npm) Jan 31, 2024
dastaj
Credited to dastaj
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem High
CVE-2024-23331 was published for vite (npm) Jan 19, 2024
dariushoule
Credited to dariushoule
EverShop at risk to unauthorized access via weak HMAC secret Critical
CVE-2023-46943 was published for @evershop/evershop (npm) Jan 13, 2024
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR) Critical
CVE-2024-22206 was published for @clerk/nextjs (npm) Jan 12, 2024
nikosdouvlis SokratisVidros
colinclerk agis braden-clerk brkalow
Credited to nikosdouvlis, SokratisVidros, colinclerk, agis, braden-clerk, and brkalow
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database