Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,406
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,408 advisories

Loading
Gitea allows attackers to add attachments with forbidden file extensions High
CVE-2025-68939 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources Moderate
CVE-2025-68941 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. Low
CVE-2025-68940 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues Moderate
CVE-2025-13767 was published for github.com/mattermost/mattermost-server (Go) Dec 24, 2025
Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin Moderate
CVE-2025-64641 was published for github.com/mattermost/mattermost-server (Go) Dec 24, 2025
LangChain serialization injection vulnerability enables secret extraction High
CVE-2025-68665 was published for @langchain/core (npm) Dec 23, 2025
eyurtsev Credited to eyurtsev, ccurme, mdrxy, 0xn3va, yardenporat353, VladimirEliTokarev, hntrl, siewer, and jacoblee93 ccurme ccurme
mdrxy mdrxy 0xn3va 0xn3va yardenporat353 yardenporat353 VladimirEliTokarev VladimirEliTokarev hntrl hntrl siewer siewer jacoblee93 jacoblee93
httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage High
CVE-2025-68696 was published for httparty (RubyGems) Dec 23, 2025
lambdasawa Credited to lambdasawa and ashkulz ashkulz ashkulz
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs Critical
CVE-2025-68664 was published for langchain-core (pip) Dec 23, 2025
0xn3va Credited to 0xn3va, yardenporat353, VladimirEliTokarev, eyurtsev, ccurme, mdrxy, and hntrl yardenporat353 yardenporat353
VladimirEliTokarev VladimirEliTokarev eyurtsev eyurtsev ccurme ccurme mdrxy mdrxy hntrl hntrl
Home Assistant Core before is vulnerable to Directory Traversal Moderate
CVE-2025-65713 was published for homeassistant (pip) Dec 23, 2025
Cadmium CMS has a background arbitrary file upload vulnerability High
CVE-2025-51511 was published for cadmium-org/cadmium-cms (Composer) Dec 23, 2025
LibreNMS Alert Rule API Cross-Site Scripting Vulnerability Moderate
CVE-2025-68614 was published for librenms/librenms (Composer) Dec 23, 2025
zdi-disclosures Credited to zdi-disclosures
Local Deep Research is Vulnerable to Server-Side Request Forgery (SSRF) in Download Service Moderate
CVE-2025-67743 was published for local-deep-research (pip) Dec 23, 2025
yueyueL Credited to yueyueL
Fedify has ReDoS Vulnerability in HTML Parsing Regex High
CVE-2025-68475 was published for @fedify/fedify (npm) Dec 22, 2025
yueyueL Credited to yueyueL
Umbraco CMS has an arbitrary file upload vulnerability Moderate
CVE-2025-67288 was published for Umbraco.Cms (NuGet) Dec 22, 2025
legacy-git Credited to legacy-git
Piranha has stored cross-site scripting (XSS) vulnerability Low
CVE-2025-67291 was published for Piranha (NuGet) Dec 22, 2025
Piranha has stored cross-site scripting (XSS) vulnerability Low
CVE-2025-67290 was published for Piranha (NuGet) Dec 22, 2025
Marshmallow has DoS in Schema.load(many) Moderate
CVE-2025-68480 was published for marshmallow (pip) Dec 22, 2025
KEDA has Arbitrary File Read via Insufficient Path Validation in HashiCorp Vault Service Account Credential High
CVE-2025-68476 was published for github.com/kedacore/keda/v2 (Go) Dec 22, 2025
n8n Vulnerable to Remote Code Execution via Expression Injection Critical
CVE-2025-68613 was published for n8n (npm) Dec 22, 2025
fatihhcelik Credited to fatihhcelik and yuvalo1212 yuvalo1212 yuvalo1212
Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm High
CVE-2025-14273 was published for github.com/mattermost/mattermost-plugin-jira (Go) Dec 22, 2025
Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification Moderate
CVE-2025-34469 was published for cowrie (pip) Dec 20, 2025
filippolauria Credited to filippolauria, mcastellaneta, claudiopo82, and saraafzal467 mcastellaneta mcastellaneta
claudiopo82 claudiopo82 saraafzal467 saraafzal467
External Control of File Name or Path in Langflow High
CVE-2025-68478 was published for langflow (pip) Dec 19, 2025
J1vvoo Credited to J1vvoo and im-soohyun im-soohyun im-soohyun
Langflow vulnerable to Server-Side Request Forgery High
CVE-2025-68477 was published for langflow (pip) Dec 19, 2025
im-soohyun Credited to im-soohyun
Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature Low
GHSA-24v3-254g-jv85 was published for @tutao/tutanota-utils (npm) Dec 19, 2025
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization Moderate
CVE-2025-13467 was published for org.keycloak:keycloak-ldap-federation (Maven) Dec 19, 2025
eminaktas Credited to eminaktas
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database