Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,656
Maven
5,000+
npm
4,284
NuGet
760
pip
4,069
Pub
12
RubyGems
957
Rust
1,057
Swift
45
Unreviewed advisories
All unreviewed
5,000+

191 advisories

Loading
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register) High
GHSA-v5w9-prxf-w882 was published for flowise (npm) Nov 17, 2025
ReeFSpeK ERANV-EVA
Credited to ReeFSpeK and ERANV-EVA
Memos' Access Tokens Stay Valid after User Password Change High
CVE-2024-21635 was published for github.com/usememos/memos (Go) Nov 14, 2025
jhademcconnell
Credited to jhademcconnell
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP High
CVE-2025-64717 was published for github.com/zitadel/zitadel (Go) Nov 14, 2025
livio-a IAM-marco
Jank1310
Credited to livio-a, IAM-marco, and Jank1310
TYPO3 Modules Extension has Improper Authentication vulnerability High
CVE-2025-12998 was published for codingms/modules (Composer) Nov 12, 2025
Zitadel May Bypass Second Authentication Factor High
CVE-2025-64103 was published for github.com/zitadel/zitadel (Go) Oct 29, 2025
livio-a IAM-marco
mffap
Credited to livio-a, IAM-marco, and mffap
FastMCP Auth Integration Allows for Confused Deputy Account Takeover High
GHSA-c2jp-c369-7pvx was published for fastmcp (pip) Oct 29, 2025
localden
Credited to localden
Dragonfly doesn't have authentication enabled for some Manager’s endpoints High
CVE-2025-59345 was published for d7y.io/dragonfly/v2 (Go) Sep 17, 2025
gaius-qi
Credited to gaius-qi
WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled High
CVE-2025-54376 was published for github.com/SpectoLabs/hoverfly (Go) Sep 10, 2025
Kr1shna4garwal
Credited to Kr1shna4garwal
Komari vulnerable to 2FA Authentication Bypass High
GHSA-jhmr-57cj-q6g9 was published for github.com/komari-monitor/komari (Go) Aug 12, 2025
imlonghao
Credited to imlonghao
@fedify/fedify has Improper Authentication and Incorrect Authorization High
CVE-2025-54888 was published for @fedify/fedify (npm) Aug 8, 2025
allouis dahlia
Credited to allouis and dahlia
Alchemy Non-SMA and Webauthn Account Security Advisory High
GHSA-56r6-ccm5-8hg3 was published for @account-kit/smart-contracts (npm) Jul 21, 2025
carlos-cow
Credited to carlos-cow
Salt has minion event bus authorization bypass vulnerability High
CVE-2025-22236 was published for salt (pip) Jun 13, 2025
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration High
CVE-2025-49146 was published for org.postgresql:postgresql (Maven) Jun 11, 2025
jawj
Credited to jawj
Erxes Incorrect Access Control vulnerability High
CVE-2024-57190 was published for erxes (npm) Jun 10, 2025
Jenkins WSO2 Oauth Plugin Fails to Properly Authenticate User Credentials High
CVE-2025-47889 was published for org.jenkins-ci.plugins:wso2id-oauth (Maven) May 14, 2025
Passport-wsfed-saml2 allows SAML Authentication Bypass via Attribute Smuggling High
CVE-2025-46573 was published for passport-wsfed-saml2 (npm) May 6, 2025
kevinroh-okta
Credited to kevinroh-okta
Joomla CMS Multi-Factor Authentication Bypass High
CVE-2025-25227 was published for joomla/joomla-cms (Composer) Apr 8, 2025
Open WebUI lacks authentication for the `api/v1/utils/pdf` endpoint High
CVE-2024-8053 was published for open-webui (pip) Mar 20, 2025
Spring Security Does Not Enforce Password Length High
CVE-2025-22228 was published for org.springframework.security:spring-security-crypto (Maven) Mar 20, 2025
Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries High
CVE-2025-27403 was published for github.com/deislabs/ratify (Go) Mar 11, 2025
Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login High
CVE-2025-23389 was published for github.com/rancher/rancher (Go) Feb 27, 2025
AnonySE26
Credited to AnonySE26
NiceGUI On Air authentication issue High
CVE-2025-21618 was published for nicegui (pip) Jan 6, 2025
streamcfd rodja
Credited to streamcfd and rodja
Socialstream has a Potential Account Takeover Vulnerability in Social Account Linking Due to Missing User Consent After OAuth Callback High
CVE-2024-56329 was published for joelbutcher/socialstream (Composer) Dec 20, 2024
carlosmintfan
Credited to carlosmintfan
djoser Authentication Bypass High
CVE-2024-21543 was published for djoser (pip) Dec 13, 2024
Apache Ozone: Improper authentication when generating S3 secrets High
CVE-2024-45106 was published for org.apache.ozone:ozone (Maven) Dec 3, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database