Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,680
Maven
5,000+
npm
4,308
NuGet
760
pip
4,081
Pub
12
RubyGems
958
Rust
1,061
Swift
45
Unreviewed advisories
All unreviewed
5,000+

975 advisories

Loading
Podman Creates Temporary File with Insecure Permissions High
CVE-2025-4953 was published for github.com/containers/podman/v5 (Go) Sep 16, 2025
Incus vulnerable to local privilege escalation through custom storage volumes High
CVE-2025-64507 was published for github.com/lxc/incus (Go) Nov 13, 2025
abdodz1234 stgraber
hallyn
Credited to abdodz1234, stgraber, and hallyn
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution High
CVE-2025-54386 was published for github.com/traefik/traefik/v2 (Go) Aug 1, 2025
odaysec
Credited to odaysec
KubeVirt Vulnerable to Arbitrary Host File Read and Write High
CVE-2025-64324 was published for kubevirt.io/kubevirt (Go) Nov 7, 2025
mihailkirov Faeris95
jean-edouard
Credited to mihailkirov, Faeris95, and jean-edouard
Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations High
CVE-2025-62725 was published for github.com/docker/compose/v2 (Go) Oct 27, 2025
masasron shaked-seal
Credited to masasron and shaked-seal
Grype has a credential disclosure vulnerability in its JSON output High
CVE-2025-65965 was published for github.com/anchore/grype (Go) Nov 25, 2025
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default High
CVE-2025-13357 was published for github.com/hashicorp/terraform-provider-vault (Go) Nov 21, 2025
esm.sh CDN service has arbitrary file write via tarslip High
CVE-2025-65025 was published for github.com/esm-dev/esm.sh (Go) Nov 19, 2025
pyozzi-toss
Credited to pyozzi-toss
Traefik has a possible vulnerability with its path matchers High
CVE-2025-32431 was published for github.com/traefik/traefik (Go) Apr 21, 2025
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation High
CVE-2025-64761 was published for github.com/openbao/openbao (Go) Nov 24, 2025
cipherboy
Credited to cipherboy
new-api is vulnerable to SSRF Bypass High
CVE-2025-62155 was published for github.com/QuantumNous/new-api (Go) Nov 24, 2025
h3rrr Calcium-Ion
Credited to h3rrr and Calcium-Ion
NSSF panic due to nil pointer dereference when expiry field is omitted in NSSAIAvailability POST High
CVE-2025-60638 was published for github.com/free5gc/nssf (Go) Nov 24, 2025
Babylon's malformed vote extensions are not rejected High
GHSA-2fcv-qww3-9v6h was published for github.com/babylonlabs-io/babylon/v4 (Go) Nov 24, 2025
Minder does not sandbox http.send in Rego programs High
GHSA-6xvf-4vh9-mw47 was published for github.com/mindersec/minder (Go) Nov 20, 2025
Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command High
CVE-2018-21258 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Juju allows arbitrary executable uploads via authenticated endpoint without authorization High
CVE-2025-0928 was published for github.com/juju/juju (Go) Jul 9, 2025
tlm wallyworld
hpidcock Fedqys setharnold
Credited to tlm, wallyworld, hpidcock, Fedqys, and setharnold
LXD vulnerable to a local privilege escalation through custom storage volumes High
GHSA-3g2j-vm47-x4mj was published for github.com/canonical/lxd (Go) Nov 13, 2025
abdodz1234 stgraber
Credited to abdodz1234 and stgraber
Evervault Go SDK: Incomplete PCR Validation in Enclave Attestation for non-Evervault hosted Enclaves High
CVE-2025-64186 was published for github.com/evervault/evervault-go (Go) Nov 12, 2025
JoranHonig
Credited to JoranHonig
Memos' Access Tokens Stay Valid after User Password Change High
CVE-2024-21635 was published for github.com/usememos/memos (Go) Nov 14, 2025
jhademcconnell
Credited to jhademcconnell
jose2go is vulnerable to a JWT bomb attack through its decode function High
CVE-2025-63811 was published for github.com/dvsekhvalnov/jose2go (Go) Nov 12, 2025
Observability Operator is vulnerable to Incorrect Privilege Assignment through its Custom Resource MonitorStack High
CVE-2025-2843 was published for github.com/rhobs/observability-operator (Go) Nov 12, 2025
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP High
CVE-2025-64717 was published for github.com/zitadel/zitadel (Go) Nov 14, 2025
livio-a IAM-marco
Jank1310
Credited to livio-a, IAM-marco, and Jank1310
File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function High
CVE-2025-64523 was published for github.com/filebrowser/filebrowser (Go) Nov 13, 2025
bbodisteanu-hacken hacdias
Credited to bbodisteanu-hacken and hacdias
AWS Advanced Go Wrapper: Privilege Escalation in Aurora PostgreSQL Instance High
GHSA-7wq2-32h4-9hc9 was published for github.com/aws/aws-advanced-go-wrapper/awssql (Go) Nov 13, 2025
podman kube play symlink traversal vulnerability High
CVE-2025-9566 was published for github.com/containers/podman/v4 (Go) Sep 4, 2025
Luap99
Credited to Luap99
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database