Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,407 advisories

Loading
pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default" High
CVE-2025-69264 was published for pnpm (npm) Jan 7, 2026
orenyomtov Credited to orenyomtov
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies High
CVE-2025-69263 was published for pnpm (npm) Jan 7, 2026
orenyomtov Credited to orenyomtov
pnpm vulnerable to Command Injection via environment variable substitution High
CVE-2025-69262 was published for pnpm (npm) Jan 7, 2026
Sy2n0 Credited to Sy2n0
RustFS gRPC GetMetrics deserialization panic enables remote DoS Moderate
CVE-2025-69255 was published for rustfs (Rust) Jan 7, 2026
max-r-b Credited to max-r-b and enitmar enitmar enitmar
fast-filesystem-mcp has a Path Traversal vulnerability High
CVE-2025-67364 was published for fast-filesystem-mcp (npm) Jan 7, 2026
terminal-controller-mcp vulnerable to Command Injection Critical
CVE-2025-61492 was published for terminal-controller (pip) Jan 7, 2026
Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests Critical
CVE-2025-12543 was published for io.undertow:undertow-core (Maven) Jan 7, 2026
aldexis Credited to aldexis and dpogorelov dpogorelov dpogorelov
RustFS Path Traversal Vulnerability High
CVE-2025-68705 was published for rustfs (Rust) Jan 7, 2026
Quarkus REST has potential worker thread starvation when HTTP connection is closed while waiting to write Moderate
CVE-2025-66560 was published for io.quarkus:quarkus-rest (Maven) Jan 7, 2026
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware Critical
CVE-2026-0650 was published for github.com/openflagr/flagr (Go) Jan 7, 2026
Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools High
CVE-2025-9611 was published for @playwright/mcp (npm) Jan 7, 2026
carbone Code Injection vulnerability Low
CVE-2024-14020 was published for carbone (npm) Jan 7, 2026
Directus has open redirect in SAML Moderate
CVE-2026-22032 was published for @directus/api (npm) Jan 6, 2026
im-soohyun Credited to im-soohyun and Seeunsama Seeunsama Seeunsama
rsa crate has potential panic on a prime being equal to 1 Low
CVE-2026-21895 was published for rsa (Rust) Jan 6, 2026
invd Credited to invd
Parsl Monitoring Visualization Vulnerable to SQL Injection Moderate
CVE-2026-21892 was published for parsl (pip) Jan 6, 2026
viralvaghela Credited to viralvaghela
Bypassing Kyverno Policies via Double Policy Exceptions Critical
GHSA-gg4x-fgg2-h9w9 was published for github.com/kyverno/kyverno (Go) Jan 6, 2026
r0binak Credited to r0binak
Bokeh server applications have Incomplete Origin Validation in WebSockets Moderate
CVE-2026-21883 was published for bokeh (pip) Jan 6, 2026
katzj Credited to katzj and aydinnyunus aydinnyunus aydinnyunus
n8n Vulnerable to RCE via Arbitrary File Write Critical
CVE-2026-21877 was published for n8n (npm) Jan 6, 2026
theolelasseux Credited to theolelasseux
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2026-21859 was published for github.com/axllent/mailpit (Go) Jan 6, 2026
omarkurt Credited to omarkurt
MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download Moderate
CVE-2026-21851 was published for monai (pip) Jan 6, 2026
yueyueL Credited to yueyueL and ericspod ericspod ericspod
Pterodactyl TOTPs can be reused during validity window Moderate
CVE-2025-69197 was published for pterodactyl/panel (Composer) Jan 6, 2026
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced High
CVE-2025-68954 was published for github.com/pterodactyl/wings (Composer) Jan 6, 2026
real2two Credited to real2two
AIOHTTP Vulnerable to Cookie Parser Warning Storm Low
CVE-2025-69230 was published for aiohttp (pip) Jan 5, 2026
Finder16 Credited to Finder16 and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP vulnerable to DoS through chunked messages Moderate
CVE-2025-69229 was published for aiohttp (pip) Jan 5, 2026
Finder16 Credited to Finder16 and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP vulnerable to denial of service through large payloads Moderate
CVE-2025-69228 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma Credited to ThomasRinsma, Finder16, and Dreamsorcerer Finder16 Finder16
Dreamsorcerer Dreamsorcerer
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database