Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,680
Maven
5,000+
npm
4,308
NuGet
760
pip
4,081
Pub
12
RubyGems
958
Rust
1,061
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,366 advisories

Loading
Cross-site Scripting (XSS) in serialize-javascript Moderate
CVE-2024-11831 was published for serialize-javascript (npm) Feb 10, 2025
mhassan1
Credited to mhassan1
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation Moderate
CVE-2025-66028 was published for @oneuptime/common (npm) Nov 25, 2025
SamirWaleed
Credited to SamirWaleed
parse is vulnerable to prototype pollution Moderate
CVE-2025-57324 was published for parse (npm) Sep 24, 2025
miguelmunoz-dotcom
Credited to miguelmunoz-dotcom
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass Moderate
GHSA-q7jf-gf43-6x6p was published for hono (npm) Oct 24, 2025
gigatechcode
Credited to gigatechcode
Strapi Password Hashing is Missing Maximum Password Length Validation Moderate
CVE-2025-25298 was published for @strapi/core (npm) Oct 16, 2025
sinanptm
Credited to sinanptm
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint Moderate
CVE-2025-65019 was published for astro (npm) Nov 19, 2025
zomaxsec
Credited to zomaxsec
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values Moderate
CVE-2025-64765 was published for astro (npm) Nov 19, 2025
Sudistark
Credited to Sudistark
Astro allows unauthorized third-party images in _image endpoint Moderate
CVE-2025-55303 was published for @astrojs/node (npm) Aug 19, 2025
HakuPiku GeneralZero
chriselbring-avalabs ematipico delucis Princesseuh
Credited to HakuPiku, GeneralZero, chriselbring-avalabs, ematipico, delucis, and Princesseuh
Astros's duplicate trailing slash feature leads to an open redirection security issue Moderate
CVE-2025-54793 was published for astro (npm) Aug 7, 2025
ghiyastfarisi ascorbic
ematipico
Credited to ghiyastfarisi, ascorbic, and ematipico
Atro CSRF Middleware Bypass (security.checkOrigin) Moderate
CVE-2024-56140 was published for astro (npm) Dec 18, 2024
KageShiron ematipico
delucis ascorbic
Credited to KageShiron, ematipico, delucis, and ascorbic
DOM Clobbering Gadget found in astro's client-side router that leads to XSS Moderate
CVE-2024-47885 was published for astro (npm) Oct 14, 2024
jackfromeast ishmeals
Credited to jackfromeast and ishmeals
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` Moderate
CVE-2025-65944 was published for @sentry/astro (npm) Nov 24, 2025
willitmerge has a Command Injection vulnerability Moderate
GHSA-j9wj-m24m-7jj6 was published for willitmerge (npm) Nov 26, 2025
lirantal
Credited to lirantal
node-forge is vulnerable to ASN.1 OID Integer Truncation Moderate
CVE-2025-66030 was published for node-forge (npm) Nov 26, 2025
wodzen
Credited to wodzen
body-parser is vulnerable to denial of service when url encoding is used Moderate
CVE-2025-13466 was published for body-parser (npm) Nov 25, 2025
Phillip9587 bjohansebas
UlisesGascon ctcpip sheplu jonchurch
Credited to Phillip9587, bjohansebas, UlisesGascon, ctcpip, sheplu, and jonchurch
zx Uses Incorrectly-Resolved Name or Reference Moderate
CVE-2025-13437 was published for zx (npm) Nov 20, 2025
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage Moderate
CVE-2025-63700 was published for @clerk/clerk-js (npm) Nov 20, 2025
Angular vulnerable to Cross-site Scripting Moderate
CVE-2021-4231 was published for @angular/core (npm) May 27, 2022
TTracz2i
Credited to TTracz2i
Angular vulnerable to Cross-site Scripting Moderate
CVE-2020-7676 was published for angular (npm) Jun 18, 2020
tdunlap607
Credited to tdunlap607
@perfood/couch-auth may expose session tokens, passwords Moderate
CVE-2025-60794 was published for @perfood/couch-auth (npm) Nov 20, 2025
Directus has an HTML Injection in Comment Moderate
CVE-2024-54128 was published for @directus/app (npm) Dec 5, 2024
mastomii r3dpower
Credited to mastomii and r3dpower
Bootstrap Cross-site Scripting vulnerability Moderate
CVE-2018-14041 was published for bootstrap (RubyGems) Sep 13, 2018
jenhae
Credited to jenhae
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message Moderate
CVE-2025-64758 was published for @dependencytrack/frontend (npm) Nov 17, 2025
jFriedli
Credited to jFriedli
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict Moderate
CVE-2025-13033 was published for nodemailer (npm) Oct 7, 2025
xclow3n
Credited to xclow3n
js-yaml has prototype pollution in merge (<<) Moderate
CVE-2025-64718 was published for js-yaml (npm) Nov 14, 2025
Zephkek mhassan1
opal-visibuild alexstrive jlp-craigmorten turi4200
Credited to Zephkek, mhassan1, opal-visibuild, alexstrive, jlp-craigmorten, and turi4200
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database