Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,680
Maven
5,000+
npm
4,308
NuGet
760
pip
4,081
Pub
12
RubyGems
958
Rust
1,061
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,776 advisories

Loading
REDAXO CMS is vulnerable to RCE attack through its template management component High
CVE-2025-64050 was published for redaxo/source (Composer) Nov 25, 2025
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization Moderate
CVE-2025-13467 was published for org.keycloak:keycloak-ldap-federation (Maven) Nov 25, 2025
REDAXO CMS is vulnerable to XSS through its module management component Moderate
CVE-2025-64049 was published for redaxo/source (Composer) Nov 25, 2025
body-parser is vulnerable to denial of service when url encoding is used Moderate
CVE-2025-13466 was published for body-parser (npm) Nov 25, 2025
Phillip9587 bjohansebas
UlisesGascon ctcpip sheplu jonchurch
Credited to Phillip9587, bjohansebas, UlisesGascon, ctcpip, sheplu, and jonchurch
Grype has a credential disclosure vulnerability in its JSON output High
CVE-2025-65965 was published for github.com/anchore/grype (Go) Nov 25, 2025
OMERO.web uses jquery-form library, which may be vulnerable to XSS attack Low
GHSA-j4gv-6x9v-v23g was published for omero-web (pip) Nov 24, 2025
Babylon's BIP322 signature implementation is not fully compliant to the spec Moderate
GHSA-xq4h-wqm2-668w was published for github.com/babylonlabs-io/babylon/v4 (Go) Nov 24, 2025
Babylon's malformed vote extensions are not rejected High
GHSA-2fcv-qww3-9v6h was published for github.com/babylonlabs-io/babylon/v4 (Go) Nov 24, 2025
LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction Critical
GHSA-rj4j-2jph-gg43 was published for github.com/lf-edge/ekuiper/v2 (Go) Nov 24, 2025
odaysec ptrgits
Credited to odaysec and ptrgits
pypdf's LZWDecode streams be manipulated to exhaust RAM Moderate
CVE-2025-66019 was published for pypdf (pip) Nov 24, 2025
aydinnyunus stefan6419846
Credited to aydinnyunus and stefan6419846
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags Moderate
CVE-2025-65956 was published for getformwork/formwork (Composer) Nov 24, 2025
3m4n5
Credited to 3m4n5
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` Moderate
CVE-2025-65944 was published for @sentry/astro (npm) Nov 24, 2025
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation High
CVE-2025-64761 was published for github.com/openbao/openbao (Go) Nov 24, 2025
cipherboy
Credited to cipherboy
new-api is vulnerable to SSRF Bypass High
CVE-2025-62155 was published for github.com/QuantumNous/new-api (Go) Nov 24, 2025
h3rrr Calcium-Ion
Credited to h3rrr and Calcium-Ion
Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices High
CVE-2025-13609 was published for keylime (pip) Nov 24, 2025
NSSF panic due to nil pointer dereference when expiry field is omitted in NSSAIAvailability POST High
CVE-2025-60638 was published for github.com/free5gc/nssf (Go) Nov 24, 2025
Free5GC is vulnerable to DoS through its Npcf_BDTPolicyControl POST API Moderate
CVE-2025-60632 was published for github.com/free5gc/pcf (Go) Nov 24, 2025
Free5GC is vulnerable to DoS via the Nudm_SubscriberDataManagement API Moderate
CVE-2025-60633 was published for github.com/free5gc/openapi (Go) Nov 24, 2025
Apache Syncope's AES encryption stores hard-coded passwords in internal database High
CVE-2025-65998 was published for org.apache.syncope:syncope-core (Maven) Nov 24, 2025
thread-amount Vulnerable to Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS High
CVE-2025-65947 was published for thread-amount (Rust) Nov 21, 2025
jzeuzs
Credited to jzeuzs
SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results Low
CVE-2025-65111 was published for github.com/authzed/spicedb (Go) Nov 21, 2025
MLX has Wild Pointer Dereference in load_gguf() Moderate
CVE-2025-62609 was published for mlx (pip) Nov 21, 2025
wickgit mmudryi
markiyanch
Credited to wickgit, mmudryi, and markiyanch
MLX has heap-buffer-overflow in load() Moderate
CVE-2025-62608 was published for mlx (pip) Nov 21, 2025
wickgit mmudryi
markiyanch
Credited to wickgit, mmudryi, and markiyanch
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default High
CVE-2025-13357 was published for github.com/hashicorp/terraform-provider-vault (Go) Nov 21, 2025
Grafana Incorrect Privilege Assignment vulnerability Critical
CVE-2025-41115 was published for github.com/grafana/grafana (Go) Nov 21, 2025
cdupuis
Credited to cdupuis
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database