Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,407 advisories

Loading
XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService Moderate
CVE-2025-65090 was published for org.xwiki.contrib:macro-fullcalendar-pom (Maven) Jan 9, 2026
October CMS Vulnerable to Stored XSS via Editor and Branding Styles Moderate
CVE-2025-61674 was published for october/system (Composer) Jan 9, 2026
nakkouchtarek Credited to nakkouchtarek and daftspunk daftspunk daftspunk
FASTJSON Includes Functionality from Untrusted Control Sphere Critical
CVE-2025-70974 was published for com.alibaba:fastjson (Maven) Jan 9, 2026
Authlib has 1-click Account Takeover vulnerability Moderate
CVE-2025-68158 was published for authlib (pip) Jan 8, 2026
davidbors-snyk Credited to davidbors-snyk, galgolamiel, and levpachmanov galgolamiel galgolamiel
levpachmanov levpachmanov
AWS SDK for Swift adopted defense in depth enhancement for region parameter value Low
GHSA-pc9j-5v36-2mww was published for github.com/awslabs/aws-sdk-swift (Swift) Jan 8, 2026
JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3 Low
GHSA-j965-2qgj-vjmq was published for aws-sdk (npm) Jan 8, 2026
AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value Low
GHSA-6475-r3vj-m8vf was published for @smithy/config-resolver (npm) Jan 8, 2026
vLLM introduced enhanced protection for CVE-2025-62164 High
GHSA-mcmc-2m55-j8jj was published for vllm (pip) Jan 8, 2026
AWS SDK for Rust v1 adopted defense in depth enhancement for region parameter value Low
GHSA-g59m-gf8j-gjf5 was published for aws-sdk-accessanalyzer (Rust) Jan 8, 2026
Ghost has SQL Injection in Members Activity Feed Moderate
CVE-2026-22596 was published for ghost (npm) Jan 8, 2026
odgrso Credited to odgrso
Ghost has SSRF via External Media Inliner Moderate
CVE-2026-22597 was published for ghost (npm) Jan 8, 2026
odgrso Credited to odgrso
Ghost has Staff Token permission bypass High
CVE-2026-22595 was published for ghost (npm) Jan 8, 2026
odgrso Credited to odgrso
Elliptic Uses a Cryptographic Primitive with a Risky Implementation Low
CVE-2025-14505 was published for elliptic (npm) Jan 8, 2026
Ghost has Staff 2FA bypass High
CVE-2026-22594 was published for ghost (npm) Jan 8, 2026
odgrso Credited to odgrso
Spree API has Unauthenticated IDOR - Guest Address High
CVE-2026-22589 was published for spree_core (RubyGems) Jan 8, 2026
Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification Moderate
CVE-2026-22588 was published for spree_api (RubyGems) Jan 8, 2026
Salvo is vulnerable to reflected XSS in the list_html function High
CVE-2026-22256 was published for salvo (Rust) Jan 8, 2026
AhmedMokhtari Credited to AhmedMokhtari, mwlik, and imenyoo2 mwlik mwlik
imenyoo2 imenyoo2
Salvo is vulnerable to stored XSS in the list_html function by uploading files with malicious names High
CVE-2026-22257 was published for salvo (Rust) Jan 8, 2026
AhmedMokhtari Credited to AhmedMokhtari, imenyoo2, and mwlik imenyoo2 imenyoo2
mwlik mwlik
Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles High
GHSA-96qw-h329-v5rg was published for shakapacker (RubyGems) Jan 8, 2026
Soft Serve is missing an authorization check in LFS lock deletion Moderate
CVE-2026-22253 was published for github.com/charmbracelet/soft-serve (Go) Jan 8, 2026
Tomer-PL Credited to Tomer-PL
React Router has CSRF issue in Action/Server Action Request Processing Moderate
CVE-2026-22030 was published for @remix-run/server-runtime (npm) Jan 8, 2026
Oceandust Credited to Oceandust
React Router vulnerable to XSS via Open Redirects High
CVE-2026-22029 was published for @remix-run/router (npm) Jan 8, 2026
Oceandust Credited to Oceandust
React Router SSR XSS in ScrollRestoration High
CVE-2026-21884 was published for @remix-run/react (npm) Jan 8, 2026
zaddy6 Credited to zaddy6 and arthurgervais arthurgervais arthurgervais
React Router has unexpected external redirect via untrusted paths Moderate
CVE-2025-68470 was published for react-router (npm) Jan 8, 2026
APshenkin Credited to APshenkin
React Router has Path Traversal in File Session Storage Critical
CVE-2025-61686 was published for @react-router/node (npm) Jan 8, 2026
zaddy6 Credited to zaddy6
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database