GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,667 advisories
Envoy forwards early CONNECT data in TCP proxy mode
Low
CVE-2025-64763
was published
for
github.com/envoyproxy/envoy
(Go)
Dec 5, 2025
Rhino has high CPU usage and potential DoS when passing specific numbers to `toFixed()` function
Low
CVE-2025-66453
was published
for
org.mozilla:rhino
(Maven)
Dec 3, 2025
Contao is vulnerable to cross-site scripting in templates
Low
CVE-2025-65961
was published
for
contao/core-bundle
(Composer)
Nov 25, 2025
Withdrawn Advisory: express improperly controls modification of query properties
Low
CVE-2024-51999
was published
for
express
(npm)
Dec 1, 2025
•
withdrawn
Discovery uses the same AES/GCM Nonce throughout the session
Low
CVE-2024-23688
was published
for
tech.pegasys.discovery:discovery
(Maven)
Apr 6, 2021
Better Auth affected by external request basePath modification DoS
Low
GHSA-569q-mpph-wgww
was published
for
better-auth
(npm)
Dec 1, 2025
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls
Low
GHSA-rcmh-qjqh-p98v
was published
for
nodemailer
(npm)
Dec 1, 2025
Spotipy has a XSS vulnerability in its OAuth callback server
Low
CVE-2025-66040
was published
for
spotipy
(pip)
Dec 1, 2025
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
Low
GHSA-wmjr-v86c-m9jj
was published
for
better-auth
(npm)
Nov 26, 2025
VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM
Low
CVE-2025-65942
was published
for
github.com/VictoriaMetrics/VictoriaMetrics
(Go)
Nov 25, 2025
PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
Low
CVE-2025-64711
was published
for
privatebin/privatebin
(Composer)
Nov 14, 2025
ProTip!
Advisories are also available from the
GraphQL API