Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,407 advisories

Loading
libsodium has Incomplete List of Disallowed Inputs Moderate
CVE-2025-69277 was published for PyNaCl (Composer) Dec 31, 2025
theshit vulnerable to unsafe loading of user-owned Python rules when running as root High
CVE-2025-69257 was published for theshit (Rust) Dec 30, 2025
AsfhtgkDavid Credited to AsfhtgkDavid
ImageMagick's failure to limit MVG mutual causes Stack Overflow Moderate
CVE-2025-68950 was published for Magick.NET-Q16-AnyCPU (NuGet) Dec 30, 2025
ylwango613 Credited to ylwango613
RustFS has a gRPC Hardcoded Token Authentication Bypass Critical
CVE-2025-68926 was published for rustfs (Rust) Dec 30, 2025
ImageMagick's failure to limit the depth of SVG file reads caused a DoS attack Moderate
CVE-2025-68618 was published for Magick.NET-Q16-AnyCPU (NuGet) Dec 30, 2025
ylwango613 Credited to ylwango613
Temporal has a namespace policy bypass allowing requests to be authorized for incorrect contexts Low
CVE-2025-14986 was published for go.temporal.io/server (Go) Dec 30, 2025
Temporal has an Incorrect Authorization vulnerability Moderate
CVE-2025-14987 was published for go.temporal.io/server (Go) Dec 30, 2025
URI Credential Leakage Bypass over CVE-2025-27221 Low
CVE-2025-61594 was published for uri (RubyGems) Dec 30, 2025
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion Moderate
CVE-2025-15284 was published for qs (npm) Dec 30, 2025
samipmainali Credited to samipmainali and ljharb ljharb ljharb
FacturaScripts is Vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload High
CVE-2025-69210 was published for facturascripts/facturascripts (Composer) Dec 30, 2025
vettrivel007 Credited to vettrivel007
YOURLS is vulnerable to XSS through JSONP and Callback request parameters High
GHSA-6mp4-q625-mxjp was published for yourls/yourls (Composer) Dec 30, 2025
DenizParlak Credited to DenizParlak
PsiTransfer has Zip Slip Path Traversal via TAR Archive Download High
GHSA-xphh-5v4r-r3rx was published for psitransfer (npm) Dec 30, 2025
DenizParlak Credited to DenizParlak
Composer is vulnerable to ANSI sequence injection Low
CVE-2025-67746 was published for composer/composer (Composer) Dec 30, 2025
cs278 Credited to cs278
axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header Moderate
CVE-2025-69202 was published for axios-cache-interceptor (npm) Dec 30, 2025
kishore03109 Credited to kishore03109 and arthurfiorette arthurfiorette arthurfiorette
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU) Moderate
CVE-2025-69211 was published for @nestjs/platform-fastify (npm) Dec 30, 2025
phpMyFAQ has unauthenticated config backup download via /api/setup/backup High
CVE-2025-69200 was published for thorsten/phpmyfaq (Composer) Dec 30, 2025
eclipse07077-ljw Credited to eclipse07077-ljw
Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.attrgetter High
GHSA-46h3-79wf-xr6c was published for picklescan (pip) Dec 30, 2025
CoolwindHF Credited to CoolwindHF
Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.methodcaller High
GHSA-955r-x9j8-7rhh was published for picklescan (pip) Dec 30, 2025
CoolwindHF Credited to CoolwindHF
Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length Moderate
GHSA-6556-fwc2-fg2p was published for picklescan (pip) Dec 30, 2025
ac0d3r Credited to ac0d3r and Lyutoon Lyutoon Lyutoon
Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef High
GHSA-rrxm-2pvv-m66x was published for picklescan (pip) Dec 30, 2025
ac0d3r Credited to ac0d3r and Lyutoon Lyutoon Lyutoon
Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host” Low
GHSA-mgr9-6c2j-jxrq was published for pterodactyl/panel (Composer) Dec 30, 2025
4rdr Credited to 4rdr
Visual Studio Code Go extension has unexpected untrusted code execution Moderate
CVE-2025-68120 was published for github.com/golang/vscode-go (Go) Dec 30, 2025
Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.param_eval Moderate
GHSA-cffc-mxrf-mhh4 was published for picklescan (pip) Dec 29, 2025
CoolwindHF Credited to CoolwindHF
phpMyFAQ has Stored XSS in user list via admin-managed display_name Moderate
CVE-2025-68951 was published for thorsten/phpmyfaq (Composer) Dec 29, 2025
eclipse07077-ljw Credited to eclipse07077-ljw
hemmelig allows SSRF Filter bypass via Secret Request functionality Moderate
CVE-2025-69206 was published for hemmelig (npm) Dec 29, 2025
Alakinnn Credited to Alakinnn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database