Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,439
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,695
Pub
13
RubyGems
1,031
Rust
1,222
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,660 advisories

Loading
Cockpit Arbitrary File Upload High
CVE-2025-1025 was published for cockpit-hq/cockpit (Composer) Feb 5, 2025
Sparkle Signing Checks Bypass High
CVE-2025-0509 was published for github.com/sparkle-project/Sparkle (Swift) Feb 4, 2025
MarbleRun unauthenticated recovery allows Coordinator impersonation High
GHSA-w7wm-2425-7p2h was published for github.com/edgelesssys/marblerun (Go) Feb 4, 2025
wasmvm: Malicious smart contract can slow down block production Moderate
GHSA-mx2j-7cmv-353c was published for cosmwasm-vm (Go) Feb 4, 2025
wasmvm: Malicious smart contract can crash the chain Moderate
GHSA-23qp-3c2m-xx6w was published for github.com/CosmWasm/wasmvm (Go) Feb 4, 2025
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening Critical
CVE-2025-24964 was published for vitest (npm) Feb 4, 2025
sapphi-red Credited to sapphi-red
Vitest browser mode serves arbitrary files Moderate
CVE-2025-24963 was published for @vitest/browser (npm) Feb 4, 2025
sapphi-red Credited to sapphi-red and rsholokh rsholokh rsholokh
Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions High
CVE-2025-23015 was published for org.apache.cassandra:cassandra-all (Maven) Feb 4, 2025
Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions Moderate
CVE-2025-24860 was published for org.apache.cassandra:cassandra-all (Maven) Feb 4, 2025
Apache Cassandra: unrestricted deserialization of JMX authentication credentials Moderate
CVE-2024-27137 was published for org.apache.cassandra:cassandra-all (Maven) Feb 4, 2025
Jenkins Zoom Plugin is Missing Password Field Masking Low
CVE-2025-0148 was published for io.jenkins.plugins:zoom (Maven) Feb 4, 2025
ZX Allows Environment Variable Injection for dotenv API Moderate
CVE-2025-24959 was published for zx (npm) Feb 3, 2025
arkark Credited to arkark
rust-openssl ssl::select_next_proto use after free Moderate
CVE-2025-24898 was published for openssl (Rust) Feb 3, 2025
mmastrac Credited to mmastrac
S3Proxy allows insecure path traversal in filesystem and filesystem-nio2 storage backends Moderate
CVE-2025-24961 was published for org.gaul:s3proxy (Maven) Feb 3, 2025
xbow-security Credited to xbow-security
CometBFT allows a malicious peer to stall the network by disseminating seemingly valid block parts High
GHSA-r3r4-g7hq-pq4f was published for github.com/cometbft/cometbft (Go) Feb 3, 2025
unknownfeature Credited to unknownfeature
TShock allows chat while not fully connected, possible ban evasion Moderate
GHSA-f8mx-cwfh-7hr2 was published for tshock (NuGet) Feb 3, 2025
ohayo Credited to ohayo
CometBFT allows a malicious peer to make node stuck in blocksync Moderate
CVE-2025-24371 was published for github.com/cometbft/cometbft (Go) Feb 3, 2025
unknownfeature Credited to unknownfeature
Django-Unicorn Class Pollution Vulnerability, Leading to XSS, DoS and Authentication Bypass Critical
CVE-2025-24370 was published for django-unicorn (pip) Feb 3, 2025
superboy-zjc Credited to superboy-zjc and jackfromeast jackfromeast jackfromeast
PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters Moderate
CVE-2025-23210 was published for phpoffice/phpexcel (Composer) Feb 3, 2025
Grafana Alerting VictorOps integration could be exposed to users with Viewer permission Moderate
CVE-2024-11741 was published for github.com/grafana/grafana (Go) Jan 31, 2025
WildFly improper RBAC permission Moderate
CVE-2025-23367 was published for org.wildfly.core:wildfly-server (Maven) Jan 31, 2025
PMD Designer's release key passphrase (GPG) available on Maven Central in cleartext Critical
CVE-2025-23215 was published for net.sourceforge.pmd:pmd-core (Maven) Jan 31, 2025
hboutemy Credited to hboutemy and yusuke-koyoshi yusuke-koyoshi yusuke-koyoshi
Jenkins Zoom Plugin Stores Sensitive Information in Cleartext Moderate
CVE-2025-0142 was published for io.jenkins.plugins:zoom (Maven) Jan 30, 2025
Soundness issue with Plonky2 look up tables High
CVE-2025-24802 was published for plonky2 (Rust) Jan 30, 2025
bkomuves Credited to bkomuves
Argo CD does not scrub secret values from patch errors Moderate
CVE-2025-23216 was published for github.com/argoproj/argo-cd (Go) Jan 30, 2025
svghadi Credited to svghadi
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database