Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,662
Maven
5,000+
npm
4,289
NuGet
760
pip
4,069
Pub
12
RubyGems
957
Rust
1,057
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,209 advisories

Loading
golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read Moderate
CVE-2025-47914 was published for golang.org/x/crypto (Go) Nov 19, 2025
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption Moderate
CVE-2025-58181 was published for golang.org/x/crypto (Go) Nov 19, 2025
esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript Moderate
CVE-2025-65026 was published for github.com/esm-dev/esm.sh (Go) Nov 19, 2025
pyozzi-toss
Credited to pyozzi-toss
authentik allows a deactivated Service account to authenticate to OAuth Moderate
CVE-2025-64521 was published for goauthentik.io (Go) Nov 19, 2025
authentik's invitation expiry is delayed by at least 5 minutes Moderate
CVE-2025-64708 was published for goauthentik.io (Go) Nov 19, 2025
melizeche
Credited to melizeche
KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer Moderate
CVE-2025-64432 was published for kubevirt.io/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
xpivarc
Credited to mihailkirov, Faeris95, and xpivarc
KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing Moderate
CVE-2025-64434 was published for kubevirt.io/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
Credited to mihailkirov and Faeris95
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation Moderate
CVE-2025-64435 was published for kubevirt.io/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
Credited to mihailkirov and Faeris95
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes Moderate
CVE-2025-64436 was published for kubevirt.io/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
xpivarc
Credited to mihailkirov, Faeris95, and xpivarc
KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes Moderate
CVE-2025-64437 was published for kubevirt.io/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
xpivarc
Credited to mihailkirov, Faeris95, and xpivarc
KubeVirt Arbitrary Container File Read Moderate
CVE-2025-64433 was published for kubevirt.io/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
Credited to mihailkirov and Faeris95
Mattermost allows system administrators to access password hashes and MFA secrets Moderate
CVE-2025-11794 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL Moderate
CVE-2025-55073 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
Kgateway transformation policy template can emit files from the container Moderate
GHSA-5pmx-7r6r-wfqq was published for github.com/kgateway-dev/kgateway/v2 (Go) Nov 4, 2025
rikatz
Credited to rikatz
Mattermost does not enforce MFA on WebSocket connections Moderate
CVE-2025-55070 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode Moderate
CVE-2025-64716 was published for github.com/TecharoHQ/anubis (Go) Oct 30, 2025
nijel mbiesiad
Credited to nijel and mbiesiad
Soft Serve does not sanitize ANSI escape sequences in user input Moderate
CVE-2025-64494 was published for github.com/charmbracelet/soft-serve (Go) Nov 6, 2025
Tomer-PL caarlos0
Credited to Tomer-PL and caarlos0
Mattermost fails to properly restrict access to archived channel search API Moderate
CVE-2025-11776 was published for github.com/mattermost/mattermost (Go) Nov 14, 2025
operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd Moderate
CVE-2025-7195 was published for github.com/operator-framework/operator-sdk (Go) Aug 7, 2025
github.com/jaredallard/archives Has Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Moderate
CVE-2025-64346 was published for github.com/jaredallard/archives (Go) Mar 28, 2025
ccojocar
Credited to ccojocar
containerd CRI server: Host memory exhaustion through Attach goroutine leak Moderate
CVE-2025-64329 was published for github.com/containerd/containerd (Go) Nov 6, 2025
Wheat2018
Credited to Wheat2018
kgateway is missing xDS authorization Moderate
CVE-2025-64323 was published for github.com/kgateway-dev/kgateway/v2 (Go) Nov 4, 2025
rikatz
Credited to rikatz
OpenShift Console Server Side Request Forgery vulnerability Moderate
CVE-2024-6538 was published for github.com/openshift/console (Go) Nov 25, 2024
lakeFS affected by unauthenticated access to API usage metrics Moderate
CVE-2025-64179 was published for github.com/treeverse/lakefs (Go) Nov 3, 2025
arielshaqed nopcoder
Credited to arielshaqed and nopcoder
Consul event endpoint is vulnerable to denial of service Moderate
CVE-2025-11375 was published for github.com/hashicorp/consul (Go) Oct 28, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database