Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,717
Maven
5,000+
npm
4,328
NuGet
761
pip
4,105
Pub
12
RubyGems
958
Rust
1,065
Swift
45
Unreviewed advisories
All unreviewed
5,000+

8,657 advisories

Loading
alexusmai laravel-file-manager is vulnerable to Directory Traversal via the unzip/extraction functionality High
CVE-2025-65346 was published for alexusmai/laravel-file-manager (Composer) Dec 4, 2025
Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands High
CVE-2025-66623 was published for io.strimzi:strimzi (Maven) Dec 5, 2025
scholzj ppatierno
im-konge
Credited to scholzj, ppatierno, and im-konge
Mattermost Server does not properly restrict use of slash commands High
CVE-2017-18886 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Podman Creates Temporary File with Insecure Permissions High
CVE-2025-4953 was published for github.com/containers/podman/v5 (Go) Sep 16, 2025
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability High
CVE-2025-11201 was published for mlflow (pip) Oct 29, 2025
mueslo
Credited to mueslo
yawkat LZ4 Java has a possible information leak in Java safe decompressor High
CVE-2025-66566 was published for at.yawk.lz4:lz4-java (Maven) Dec 5, 2025
simonresch
Credited to simonresch
urllib3 streaming API improperly handles highly compressed data High
CVE-2025-66471 was published for urllib3 (pip) Dec 5, 2025
illia-v pquentin
sethmlarson Cycloctane stamparm
Credited to illia-v, pquentin, sethmlarson, Cycloctane, and stamparm
urllib3 allows an unbounded number of links in the decompression chain High
CVE-2025-66418 was published for urllib3 (pip) Dec 5, 2025
illia-v sethmlarson
pquentin
Credited to illia-v, sethmlarson, and pquentin
Sigstore Timestamp Authority allocates excessive memory during request parsing High
CVE-2025-66564 was published for github.com/sigstore/timestamp-authority (Go) Dec 5, 2025
Fulcio allocates excessive memory during token parsing High
CVE-2025-66506 was published for github.com/sigstore/fulcio (Go) Dec 5, 2025
adeinega
Credited to adeinega
Grype has a credential disclosure vulnerability in its JSON output High
CVE-2025-65965 was published for github.com/anchore/grype (Go) Nov 25, 2025
chisui
Credited to chisui
Logrus is vulnerable to DoS when using Entry.Writer() High
CVE-2025-65637 was published for github.com/sirupsen/logrus (Go) Dec 4, 2025
Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF' High
CVE-2025-65959 was published for open-webui (npm) Dec 4, 2025
pyozzi-toss L2VE
Credited to pyozzi-toss and L2VE
Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration High
CVE-2025-30165 was published for vllm (pip) May 6, 2025
avioligo russellb
Credited to avioligo and russellb
auth0/node-jws Improperly Verifies HMAC Signature High
CVE-2025-65945 was published for jws (npm) Dec 4, 2025
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web High
CVE-2025-65958 was published for open-webui (pip) Dec 4, 2025
teolines
Credited to teolines
libcrux incorrectly calculates on aarch64 High
GHSA-2cgv-28vr-rv6j was published for libcrux-intrinsics (Rust) Dec 4, 2025
Claude Code Command Validation Bypass Allows Arbitrary Code Execution High
CVE-2025-66032 was published for @anthropic-ai/claude-code (npm) Dec 3, 2025
Ry0taK
Credited to Ry0taK
Coder logs sensitive objects unsanitized High
CVE-2025-66411 was published for github.com/coder/coder/v2 (Go) Dec 3, 2025
Nokogiri NULL Pointer Dereference High
CVE-2018-14404 was published for nokogiri (RubyGems) Jan 17, 2019
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes High
CVE-2025-66412 was published for @angular/compiler (npm) Dec 2, 2025
alan-agius4 securityMB
crisbeto devversion AKiileX AndrewKushnir
Credited to alan-agius4, securityMB, crisbeto, devversion, AKiileX, and AndrewKushnir
Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names High
CVE-2017-18871 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Docker MCP Plugin and Docker MCP Gateway have DNS Rebinding vulnerability when running in sse or streaming mode High
CVE-2025-64443 was published for github.com/docker/mcp-gateway (Go) Dec 3, 2025
JLLeitschuh
Credited to JLLeitschuh
mako is vulnerable to Regular Expression Denial of Service High
CVE-2022-40023 was published for mako (pip) Sep 16, 2022
Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors High
CVE-2025-66468 was published for aimeos/ai-cms-grapesjs (Composer) Dec 3, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database