Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,407 advisories

Loading
Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran.myeval High
GHSA-3329-ghmp-jmv5 was published for picklescan (pip) Dec 29, 2025
CoolwindHF Credited to CoolwindHF
Picklescan is vulnerable to RCE through missing detection when calling built-in python operator.methodcaller High
GHSA-x843-g5mx-g377 was published for picklescan (pip) Dec 29, 2025
CoolwindHF Credited to CoolwindHF
Picklescan missing detection when calling numpy.f2py.crackfortran.getlincoef High
GHSA-r8g5-cgf2-4m4m was published for picklescan (pip) Dec 29, 2025
Picklescan Bypasses Unsafe Globals Check using pty.spawn High
GHSA-hgrh-qx5j-jfwx was published for picklescan (pip) Dec 29, 2025
yarienkiva Credited to yarienkiva
Picklescan missing detection when calling pty.spawn High
GHSA-vqmv-47xg-9wpr was published for picklescan (pip) Dec 29, 2025
geo-lit Credited to geo-lit, ajohnston9, and 0x00nier ajohnston9 ajohnston9
0x00nier 0x00nier
Picklescan has Incomplete List of Disallowed Inputs High
GHSA-84r2-jw7c-4r5q was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
Picklescan does not block ctypes High
GHSA-4675-36f9-wf6r was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
Picklescan vulnerable to Arbitrary File Writing High
GHSA-m273-6v24-x4m4 was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
SQLE's JWT Secret Handler can be manipulated to use hard-coded cryptographic key Low
CVE-2025-15107 was published for github.com/actiontech/sqle (Go) Dec 27, 2025
FastMCP updated to MCP 1.23+ due to CVE-2025-66416 High
GHSA-rcfx-77hg-w2wv was published for fastmcp (pip) Dec 26, 2025
phvalguima Credited to phvalguima
ruint affected by unsoundness of safe `reciprocal_mg10` Moderate
GHSA-9fjq-45qv-pcm7 was published for ruint (Rust) Dec 26, 2025
Croogo CMS has a path traversal vulnerability High
CVE-2024-42718 was published for croogo/croogo (Composer) Dec 26, 2025
apidoc-core has a prototype pollution vulnerability Critical
CVE-2025-13158 was published for apidoc-core (npm) Dec 26, 2025
Self-hosted n8n has Legacy Code node that enables arbitrary file read/write High
CVE-2025-68697 was published for n8n (npm) Dec 26, 2025
berkdedekarginoglu Credited to berkdedekarginoglu
n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node Critical
CVE-2025-68668 was published for n8n (npm) Dec 26, 2025
berkdedekarginoglu Credited to berkdedekarginoglu, VladimirEliTokarev, Ofekitach, and nnfrog VladimirEliTokarev VladimirEliTokarev
Ofekitach Ofekitach nnfrog nnfrog
lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load() High
CVE-2025-67729 was published for lmdeploy (pip) Dec 26, 2025
yueyueL Credited to yueyueL
n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox High
CVE-2025-61914 was published for n8n (npm) Dec 26, 2025
nlgbao1340 Credited to nlgbao1340
libxmljs has segmentation fault, potentially leading to a denial-of-service (DoS) High
CVE-2025-25341 was published for libxmljs (npm) Dec 26, 2025
Gitea: anonymous user can visit private user's project Moderate
CVE-2025-68945 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order Moderate
CVE-2025-68943 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries Moderate
CVE-2025-68944 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea vulnerable to Cross-site Scripting Moderate
CVE-2025-68946 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text Moderate
CVE-2025-68942 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources Moderate
CVE-2025-68941 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea allows attackers to add attachments with forbidden file extensions High
CVE-2025-68939 was published for code.gitea.io/gitea (Go) Dec 26, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database