Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,412
Erlang
33
GitHub Actions
22
Go
2,148
Maven
5,000+
npm
3,814
NuGet
689
pip
3,487
Pub
12
RubyGems
901
Rust
900
Swift
38
Unreviewed advisories
All unreviewed
5,000+

21,463 advisories

Loading
Formwork has a cross-site scripting (XSS) vulnerability in Site title Moderate
GHSA-vf6x-59hh-332f was published for getformwork/formwork (Composer) Mar 1, 2025
Kyokito1412
Pebble has Arbitrary Local File Inclusion (LFI) Vulnerability via `include` macro High
CVE-2025-1686 was published for io.pebbletemplates:pebble (Maven) Feb 28, 2025
ntpd NTS client denial of service via wrongly sized cookies Moderate
GHSA-v83q-83hj-rw38 was published for ntpd (Rust) Feb 28, 2025
IBC-Go has Non-deterministic JSON Unmarshalling of IBC Acknowledgement Critical
GHSA-jg6f-48ff-5xrw was published for github.com/cosmos/ibc-go (Go) Feb 28, 2025
swelf19
Spotipy's cache file, containing spotify auth token, is created with overly broad permissions High
CVE-2025-27154 was published for spotipy (pip) Feb 28, 2025
alichtman
Memos Server-Side Request Forgery (SSRF) Moderate
CVE-2025-22952 was published for github.com/usememos/memos (Go) Feb 27, 2025
mongosh vulnerable to local privilege escalation High
CVE-2025-1756 was published for mongosh (npm) Feb 27, 2025
Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login High
CVE-2025-23389 was published for github.com/rancher/rancher (Go) Feb 27, 2025
Rancher allows an unauthenticated stack overflow in /v3-public/authproviders API High
CVE-2025-23388 was published for github.com/rancher/rancher (Go) Feb 27, 2025
Rancher's SAML-based login via CLI can be denied by unauthenticated users Moderate
CVE-2025-23387 was published for github.com/rancher/rancher (Go) Feb 27, 2025
MongoDB Shell may be susceptible to control character Injection via shell output Low
CVE-2025-1693 was published for mongosh (npm) Feb 27, 2025
MongoDB Shell may be susceptible to control character injection via pasting Moderate
CVE-2025-1692 was published for mongosh (npm) Feb 27, 2025
MongoDB Shell may be susceptible to Control Character Injection via autocomplete High
CVE-2025-1691 was published for mongosh (npm) Feb 27, 2025
WSO2 incorrect authorization vulnerability Moderate
CVE-2024-2321 was published for org.wso2.am:am-parent (Maven) Feb 27, 2025
Mautic allows Relative Path Traversal in assets file upload Moderate
CVE-2022-25773 was published for mautic/core (Composer) Feb 26, 2025
patrykgruszka majkelstick
escopecz
Mautic allows Improper Authorization in Reporting API High
CVE-2024-47053 was published for mautic/core (Composer) Feb 26, 2025
escopecz patrykgruszka
Mautic allows Remote Code Execution and File Deletion in Asset Uploads Critical
CVE-2024-47051 was published for mautic/core (Composer) Feb 26, 2025
mallo-m patrykgruszka
copyparty renders unsanitized filenames as HTML when user uploads empty files Low
CVE-2025-27145 was published for copyparty (pip) Feb 26, 2025
JayPatel48
io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout High
CVE-2025-1634 was published for io.quarkus:quarkus-resteasy (Maven) Feb 26, 2025
r3kumar
Matrix IRC Bridge allows IRC command injection to own puppeted user Low
CVE-2025-27146 was published for matrix-appservice-irc (npm) Feb 25, 2025
DOM Expressions has a Cross-Site Scripting (XSS) vulnerability due to improper use of string.replace High
CVE-2025-27108 was published for dom-expressions (npm) Feb 25, 2025
nsysean ryansolid
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) High
CVE-2025-27109 was published for solid-js (npm) Feb 25, 2025
ryansolid nsysean
Navidrome allows an authentication bypass in Subsonic API with non-existent username Moderate
CVE-2025-27112 was published for github.com/navidrome/navidrome (Go) Feb 25, 2025
daniele-athome
LTI JupyterHub Authenticator does not properly validate JWT Signature Critical
CVE-2023-25574 was published for jupyterhub-ltiauthenticator (pip) Feb 25, 2025
consideRatio
DoS in go-jose Parsing Moderate
CVE-2025-27144 was published for github.com/go-jose/go-jose (Go) Feb 24, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database