Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,690
Maven
5,000+
npm
4,320
NuGet
760
pip
4,096
Pub
12
RubyGems
958
Rust
1,063
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,850 advisories

Loading
Withdrawn Advisory: express improperly controls modification of query properties Low
CVE-2024-51999 was published for express (npm) Dec 1, 2025 withdrawn
ctcpip wesleytodd
jonchurch bjohansebas UlisesGascon
Credited to ctcpip, wesleytodd, jonchurch, bjohansebas, and UlisesGascon
FeehiCMS fails to enforce server-side immutability Moderate
CVE-2025-63523 was published for feehi/feehicms (Composer) Dec 1, 2025
FeehiCMS is vulnerable to cross-site scripting via the id parameter of the User Update function Moderate
CVE-2025-63520 was published for feehi/feehicms (Composer) Dec 1, 2025
FeehiCMS is vulnerable to reverse tabnabbing Moderate
CVE-2025-63522 was published for feehi/feehicms (Composer) Dec 1, 2025
NutzBoot vulnerable to information disclosure Low
CVE-2025-13804 was published for org.nutz:nutzboot-parent (Maven) Dec 1, 2025
NutzBoot Incorrect Privilege Assignment vulnerability Moderate
CVE-2025-13806 was published for org.nutz:nutzboot-parent (Maven) Dec 1, 2025
NutzBoot vulnerable to deserialization Low
CVE-2025-13805 was published for org.nutz:nutzboot-parent (Maven) Dec 1, 2025
trytond allows remote attackers to obtain sensitive trace-back (server setup) information Moderate
CVE-2025-66422 was published for trytond (pip) Nov 30, 2025
trytond does not enforce access rights for data export Moderate
CVE-2025-66424 was published for trytond (pip) Nov 30, 2025
trytond does not enforce access rights for the route of the HTML editor. High
CVE-2025-66423 was published for trytond (pip) Nov 30, 2025
Tryton sao allows XSS because it does not escape completion values Moderate
CVE-2025-66421 was published for tryton-sao (npm) Nov 30, 2025
Tryton sao allows XSS via an HTML attachment Moderate
CVE-2025-66420 was published for tryton-sao (npm) Nov 30, 2025
Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack High
CVE-2025-12638 was published for Keras (pip) Nov 28, 2025 withdrawn
Mustangproject allows exfiltrating files via XXE attacks Low
CVE-2025-66372 was published for org.mustangproject:library (Maven) Nov 28, 2025
Peppol-py is vulnerable to XXE attacks due to Saxon configuration Moderate
CVE-2025-66371 was published for peppol_py (pip) Nov 28, 2025
ThingsBoard allows an authenticated user to upload malicious SVG images Moderate
CVE-2025-3261 was published for org.thingsboard:application (Maven) Nov 27, 2025
Mattermost fails to to verify the token used during code exchange Critical
CVE-2025-12421 was published for github.com/mattermost/mattermost-server (Go) Nov 27, 2025
Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication Critical
CVE-2025-12419 was published for github.com/mattermost/mattermost-server (Go) Nov 27, 2025
Mattermost fails to sanitize team email addresses Moderate
CVE-2025-12559 was published for github.com/mattermost/mattermost-server (Go) Nov 27, 2025
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements High
CVE-2025-12758 was published for validator (npm) Nov 27, 2025
Ray's New Token Authentication is Disabled By Default Critical
CVE-2025-34351 was published for ray (pip) Nov 27, 2025
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client High
CVE-2025-66035 was published for @angular/common (npm) Nov 26, 2025
alan-agius4 AndrewKushnir
irsl hybrist AKiileX
Credited to alan-agius4, AndrewKushnir, irsl, hybrist, and AKiileX
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions Low
GHSA-wmjr-v86c-m9jj was published for better-auth (npm) Nov 26, 2025
mufeedvh
Credited to mufeedvh
willitmerge has a Command Injection vulnerability Moderate
CVE-2025-66219 was published for willitmerge (npm) Nov 26, 2025
lirantal
Credited to lirantal
node-forge has ASN.1 Unbounded Recursion High
CVE-2025-66031 was published for node-forge (npm) Nov 26, 2025
wodzen
Credited to wodzen
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database