Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

8,607 advisories

Loading
OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization High
CVE-2025-66021 was published for com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer (Maven) Nov 25, 2025
ironfisto
Credited to ironfisto
Better Auth Passkey Plugin allows passkey deletion through IDOR High
GHSA-4vcf-q4xf-f48m was published for @better-auth/passkey (npm) Nov 25, 2025
goksan
Credited to goksan
NSSF panic due to nil pointer dereference when expiry field is omitted in NSSAIAvailability POST High
CVE-2025-60638 was published for github.com/free5gc/nssf (Go) Nov 24, 2025
cggmp24 and cggmp21 are vulnerable to signature forgery through altered presignatures High
CVE-2025-66017 was published for cggmp21 (Rust) Nov 25, 2025
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer High
CVE-2025-62703 was published for fugue (pip) Nov 25, 2025
Chenpinji
Credited to Chenpinji
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates High
CVE-2025-65106 was published for langchain-core (pip) Nov 20, 2025
0xn3va
Credited to 0xn3va
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature High
CVE-2025-58360 was published for org.geoserver.web:gs-web-app (Maven) Nov 25, 2025
xbow-security jodygarnett
Credited to xbow-security and jodygarnett
Grype has a credential disclosure vulnerability in its JSON output High
CVE-2025-65965 was published for github.com/anchore/grype (Go) Nov 25, 2025
Apache Syncope's AES encryption stores hard-coded passwords in internal database High
CVE-2025-65998 was published for org.apache.syncope:syncope-core (Maven) Nov 24, 2025
Babylon's malformed vote extensions are not rejected High
GHSA-2fcv-qww3-9v6h was published for github.com/babylonlabs-io/babylon/v4 (Go) Nov 24, 2025
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation High
CVE-2025-64761 was published for github.com/openbao/openbao (Go) Nov 24, 2025
cipherboy
Credited to cipherboy
new-api is vulnerable to SSRF Bypass High
CVE-2025-62155 was published for github.com/QuantumNous/new-api (Go) Nov 24, 2025
h3rrr Calcium-Ion
Credited to h3rrr and Calcium-Ion
JDBC Driver for SQL Server has improper input validation issue High
CVE-2025-59250 was published for com.microsoft.sqlserver:mssql-jdbc (Maven) Oct 14, 2025
Fidget-Grep andreasmh
urielcos
Credited to Fidget-Grep, andreasmh, and urielcos
thread-amount Vulnerable to Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS High
CVE-2025-65947 was published for thread-amount (Rust) Nov 21, 2025
jzeuzs
Credited to jzeuzs
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default High
CVE-2025-13357 was published for github.com/hashicorp/terraform-provider-vault (Go) Nov 21, 2025
expr-eval does not restrict functions passed to the evaluate function High
CVE-2025-12735 was published for expr-eval (npm) Nov 5, 2025
sei-vsarvepalli
Credited to sei-vsarvepalli
authkit-nextjs may let session cookies be cached in CDNs High
CVE-2025-64762 was published for @workos-inc/authkit-nextjs (npm) Nov 20, 2025
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes High
CVE-2025-64755 was published for @anthropic-ai/claude-code (npm) Nov 20, 2025
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs High
CVE-2025-62372 was published for vllm (pip) Nov 20, 2025
DarkLight1337 ywang96
Isotr0py russellb
Credited to DarkLight1337, ywang96, Isotr0py, and russellb
vLLM deserialization vulnerability leading to DoS and potential RCE High
CVE-2025-62164 was published for vllm (pip) Nov 20, 2025
omriaxion russellb
DarkLight1337 Isotr0py ywang96
Credited to omriaxion, russellb, DarkLight1337, Isotr0py, and ywang96
Podman Creates Temporary File with Insecure Permissions High
CVE-2025-4953 was published for github.com/containers/podman/v5 (Go) Sep 16, 2025
Minder does not sandbox http.send in Rego programs High
GHSA-6xvf-4vh9-mw47 was published for github.com/mindersec/minder (Go) Nov 20, 2025
Apache Tomcat Vulnerable to Relative Path Traversal High
CVE-2025-55752 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Oct 27, 2025
aruneko tkwilli94
Credited to aruneko and tkwilli94
Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command High
CVE-2018-21258 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
angular Prototype Pollution vulnerability High
CVE-2019-10768 was published for angular (npm) Nov 20, 2019
ProTip! Advisories are also available from the GraphQL API