GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
28,408 advisories
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation
Moderate
CVE-2025-68146
was published
for
filelock
(pip)
Dec 16, 2025
Libredesk has Improper Neutralization of HTML Tags in a Web Page
High
CVE-2025-68927
was published
for
github.com/abhinavxd/libredesk
(Go)
Dec 16, 2025
tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
High
CVE-2025-68130
was published
for
@trpc/server
(npm)
Dec 16, 2025
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables
Moderate
CVE-2025-68115
was published
for
parse-server
(npm)
Dec 16, 2025
ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay
Moderate
CVE-2025-68113
was published
for
altcha
(RubyGems)
Dec 16, 2025
Fickling has Code Injection vulnerability via pty.spawn()
High
CVE-2025-67748
was published
for
fickling
(pip)
Dec 15, 2025
Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list
High
CVE-2025-67747
was published
for
fickling
(pip)
Dec 15, 2025
Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder
Moderate
CVE-2025-67735
was published
for
io.netty:netty-codec-http
(Maven)
Dec 15, 2025
Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)
Moderate
CVE-2025-67715
was published
for
Weblate
(pip)
Dec 15, 2025
Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
Moderate
CVE-2025-67492
was published
for
Weblate
(pip)
Dec 15, 2025
Withdrawn Advisory: LikeC4 has RCE through vulnerable React and Next.js versions
Critical
GHSA-vr6p-vq2p-6j74
was published
for
likec4
(npm)
Dec 15, 2025
•
withdrawn
Misskey has a login rate limit bypass via spoofed X-Forwarded-For header
Moderate
CVE-2025-66482
was published
for
misskey-js
(npm)
Dec 15, 2025
misskey.js's export data contains private post data
High
CVE-2025-66402
was published
for
misskey-js
(npm)
Dec 15, 2025
ProTip!
Advisories are also available from the
GraphQL API