Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,700
Maven
5,000+
npm
4,327
NuGet
761
pip
4,099
Pub
12
RubyGems
958
Rust
1,064
Swift
45
Unreviewed advisories
All unreviewed
5,000+

8,646 advisories

Loading
libcrux incorrectly calculates on aarch64 High
GHSA-2cgv-28vr-rv6j was published for libcrux-intrinsics (Rust) Dec 4, 2025
auth0/node-jws Improperly Verifies HMAC Signature High
CVE-2025-65945 was published for jws (npm) Dec 4, 2025
Claude Code Command Validation Bypass Allows Arbitrary Code Execution High
CVE-2025-66032 was published for @anthropic-ai/claude-code (npm) Dec 3, 2025
Ry0taK
Credited to Ry0taK
Coder logs sensitive objects unsanitized High
CVE-2025-66411 was published for github.com/coder/coder/v2 (Go) Dec 3, 2025
Nokogiri NULL Pointer Dereference High
CVE-2018-14404 was published for nokogiri (RubyGems) Jan 17, 2019
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes High
CVE-2025-66412 was published for @angular/compiler (npm) Dec 2, 2025
alan-agius4 securityMB
crisbeto devversion AKiileX AndrewKushnir
Credited to alan-agius4, securityMB, crisbeto, devversion, AKiileX, and AndrewKushnir
Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names High
CVE-2017-18871 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Docker MCP Plugin and Docker MCP Gateway have DNS Rebinding vulnerability when running in sse or streaming mode High
CVE-2025-64443 was published for github.com/docker/mcp-gateway (Go) Dec 3, 2025
JLLeitschuh
Credited to JLLeitschuh
Podman Creates Temporary File with Insecure Permissions High
CVE-2025-4953 was published for github.com/containers/podman/v5 (Go) Sep 16, 2025
mako is vulnerable to Regular Expression Denial of Service High
CVE-2022-40023 was published for mako (pip) Sep 16, 2022
Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors High
CVE-2025-66468 was published for aimeos/ai-cms-grapesjs (Composer) Dec 3, 2025
LZ4 Java Compression has Out-of-bounds memory operations which can cause DoS High
CVE-2025-12183 was published for at.yawk.lz4:lz4-java (Maven) Nov 28, 2025
Marcono1234 pjfanning
Credited to Marcono1234 and pjfanning
Apache Struts is Vulnerable to DoS via File Leak High
CVE-2025-64775 was published for org.apache.struts:struts2-core (Maven) Dec 1, 2025
OpenSearch is vulnerable to DoS via complex query_string inputs High
CVE-2025-9624 was published for org.opensearch:opensearch-common (Maven) Nov 25, 2025
RafSobol
Credited to RafSobol
Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default High
CVE-2025-66416 was published for mcp (pip) Dec 2, 2025
Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default High
CVE-2025-66414 was published for @modelcontextprotocol/sdk (npm) Dec 2, 2025
GrapesJsBuilder File Upload allows all file uploads High
CVE-2025-13827 was published for mautic/grapes-js-builder-bundle (Composer) Dec 2, 2025
driskell escopecz
patrykgruszka
Credited to driskell, escopecz, and patrykgruszka
gokey allows secret recovery from a seed file without the master password High
CVE-2025-13353 was published for github.com/cloudflare/gokey (Go) Dec 2, 2025
vLLM vulnerable to remote code execution via transformers_utils/get_config High
CVE-2025-66448 was published for vllm (pip) Dec 2, 2025
Vancir Isotr0py
DarkLight1337 russellb
Credited to Vancir, Isotr0py, DarkLight1337, and russellb
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements High
CVE-2025-12758 was published for validator (npm) Nov 27, 2025
XWiki Jetty Package (XJetty) allows accessing any application file through URL High
CVE-2025-55749 was published for org.xwiki.platform:xwiki-platform-tool-jetty-resources (Maven) Dec 1, 2025
Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms High
CVE-2025-66298 was published for getgrav/grav (Composer) Dec 2, 2025
yiannakasgeorge
Credited to yiannakasgeorge
Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass High
CVE-2025-66294 was published for getgrav/grav (Composer) Dec 2, 2025
nakkouchtarek
Credited to nakkouchtarek
Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection High
CVE-2025-66297 was published for getgrav/grav (Composer) Dec 2, 2025
p1r0x
Credited to p1r0x
Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption High
CVE-2025-66295 was published for getgrav/grav (Composer) Dec 2, 2025
NicatAliyevh
Credited to NicatAliyevh
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database