Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,635
Maven
5,000+
npm
4,262
NuGet
760
pip
4,057
Pub
12
RubyGems
956
Rust
1,054
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,629 advisories

Loading
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser Low
GHSA-xffm-g5w8-qvg7 was published for @eslint/plugin-kit (npm) Jul 18, 2025
ericcornelissen Qix-
Credited to ericcornelissen and Qix-
Wasmtime CLI is vulnerable to host panic through its fd_renumber function Low
CVE-2025-53901 was published for wasmtime (Rust) Jul 18, 2025
hatoo rvolosatovs
Credited to hatoo and rvolosatovs
XXL-JOB is vulnerable to SSRF attacks Low
CVE-2025-7787 was published for com.xuxueli:xxl-job-core (Maven) Jul 18, 2025
Mattermost has Insufficiently Protected Credentials Low
CVE-2025-6227 was published for github.com/mattermost/mattermost-server (Go) Jul 18, 2025
on-headers is vulnerable to http response header manipulation Low
CVE-2025-7339 was published for on-headers (npm) Jul 17, 2025
ctcpip jonchurch
SPodjasek UlisesGascon sheplu Zen-cronic
Credited to ctcpip, jonchurch, SPodjasek, UlisesGascon, sheplu, and Zen-cronic
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections Low
CVE-2025-53643 was published for aiohttp (pip) Jul 14, 2025
JeppW
Credited to JeppW
static-alloc vulnerability leads to uninitialized read after allocating MemBump Low
GHSA-xrrq-rrgq-h89w was published for static-alloc (Rust) Jul 11, 2025
Jenkins User1st uTester Plugin vulnerability exposes unencrypted token to authenticated users Low
CVE-2025-53678 was published for io.jenkins.plugins:user1st-utester (Maven) Jul 9, 2025
Jenkins Testsigma Test Plan vulnerability exposes API keys via job configuration form Low
CVE-2025-53661 was published for io.jenkins.plugins:testsigma (Maven) Jul 9, 2025
Contrast vulnerability allows arbitrary host data Injection into container VOLUME mount points Low
GHSA-phhq-63jg-fp7r was published for github.com/edgelesssys/contrast (Go) Jul 9, 2025
burgerdev katexochen
thomasten
Credited to burgerdev, katexochen, and thomasten
Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes Low
CVE-2025-53535 was published for better-auth (npm) Jul 7, 2025
mwlik imenyoo2
Credited to mwlik and imenyoo2
Transformers's Improper Input Validation vulnerability can be exploited through username injection Low
CVE-2025-3777 was published for transformers (pip) Jul 7, 2025
Next.js has a Cache poisoning vulnerability due to omission of the Vary header Low
CVE-2025-49005 was published for next (npm) Jul 3, 2025
string-math's string-math.js vulnerability can cause Regex Denial of Service (ReDoS) Low
CVE-2025-45143 was published for string-math (npm) Jun 30, 2025
File Browser's password protection of links is bypassable Low
CVE-2025-52996 was published for github.com/filebrowser/filebrowser (Go) Jun 30, 2025
mtausig hacdias
Credited to mtausig and hacdias
Langchain-Chatchat vulnerable to path traversal Low
CVE-2025-6854 was published for langchain-chatchat (pip) Jun 29, 2025
Langchain-Chatchat vulnerable to path traversal Low
CVE-2025-6855 was published for langchain-chatchat (pip) Jun 29, 2025
Langchain-Chatchat has a Path Traversal vulnerability Low
CVE-2025-6853 was published for langchain-chatchat (pip) Jun 29, 2025
Taylor has race condition in /get-patch that allows purchase token replay Low
GHSA-vh5j-5fhq-9xwg was published for taylored (npm) Jun 27, 2025
snyff
Credited to snyff
JuzaWeb CMS is vulnerable to Incorrect Privilege Assignment when installing Import Page component Low
CVE-2025-6735 was published for juzaweb/cms (Composer) Jun 27, 2025
JuzaWeb CMS is vulnerable to Incorrect Privilege Assignment when installing certain components Low
CVE-2025-6736 was published for juzaweb/cms (Composer) Jun 27, 2025
Magento Authenticated Security feature bypass Low
CVE-2025-49549 was published for magento/community-edition (Composer) Jun 26, 2025
Vault Community Edition rekey and recovery key operations can cause denial of service Low
CVE-2025-4656 was published for github.com/hashicorp/vault (Go) Jun 26, 2025
Incus Allocation of Resources Without Limits allows firewall rule bypass on managed bridge networks Low
CVE-2025-52889 was published for github.com/lxc/incus/v6 (Go) Jun 26, 2025
obp-anssi
Credited to obp-anssi
Xuxueli XXL-SSO Cross-site Scripting vulnerability Low
CVE-2025-6700 was published for com.xuxueli:xxl-sso (Maven) Jun 26, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database