Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,750
Maven
5,000+
npm
4,353
NuGet
765
pip
4,114
Pub
12
RubyGems
960
Rust
1,069
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,353 advisories

Loading
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization High
CVE-2025-12816 was published for node-forge (npm) Nov 26, 2025
wodzen sei-vsarvepalli
Credited to wodzen and sei-vsarvepalli
Valibot has a ReDoS vulnerability in `EMOJI_REGEX` High
CVE-2025-66020 was published for valibot (npm) Nov 26, 2025
makenowjust
Credited to makenowjust
OneUptime Unauthorized User Creation via API High
CVE-2025-65966 was published for @oneuptime/common (npm) Nov 26, 2025
SamirWaleed
Credited to SamirWaleed
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation Moderate
CVE-2025-66028 was published for @oneuptime/common (npm) Nov 25, 2025
SamirWaleed
Credited to SamirWaleed
Better Auth Passkey Plugin allows passkey deletion through IDOR High
GHSA-4vcf-q4xf-f48m was published for @better-auth/passkey (npm) Nov 25, 2025
goksan
Credited to goksan
body-parser is vulnerable to denial of service when url encoding is used Moderate
CVE-2025-13466 was published for body-parser (npm) Nov 25, 2025
Phillip9587 bjohansebas
UlisesGascon ctcpip sheplu jonchurch
Credited to Phillip9587, bjohansebas, UlisesGascon, ctcpip, sheplu, and jonchurch
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` Moderate
CVE-2025-65944 was published for @sentry/astro (npm) Nov 24, 2025
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage Moderate
CVE-2025-63700 was published for @clerk/clerk-js (npm) Nov 20, 2025
authkit-nextjs may let session cookies be cached in CDNs High
CVE-2025-64762 was published for @workos-inc/authkit-nextjs (npm) Nov 20, 2025
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes High
CVE-2025-64755 was published for @anthropic-ai/claude-code (npm) Nov 20, 2025
zx Uses Incorrectly-Resolved Name or Reference Moderate
CVE-2025-13437 was published for zx (npm) Nov 20, 2025
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter Critical
CVE-2025-65108 was published for md-to-pdf (npm) Nov 20, 2025
Prodigysec
Credited to Prodigysec
@hpke/core reuses AEAD nonces Critical
CVE-2025-64767 was published for @hpke/core (npm) Nov 20, 2025
panva
Credited to panva
@perfood/couch-auth may expose session tokens, passwords Moderate
CVE-2025-60794 was published for @perfood/couch-auth (npm) Nov 20, 2025
Claude Code vulnerable to command execution prior to startup trust dialog High
CVE-2025-65099 was published for @anthropic-ai/claude-code (npm) Nov 19, 2025
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint Moderate
CVE-2025-65019 was published for astro (npm) Nov 19, 2025
zomaxsec
Credited to zomaxsec
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values Moderate
CVE-2025-64765 was published for astro (npm) Nov 19, 2025
Sudistark
Credited to Sudistark
Astro vulnerable to reflected XSS via the server islands feature High
CVE-2025-64764 was published for astro (npm) Nov 19, 2025
cold-try
Credited to cold-try
Astro Development Server has Arbitrary Local File Read Low
CVE-2025-64757 was published for astro (npm) Nov 19, 2025
monizb Princesseuh
delucis ematipico
Credited to monizb, Princesseuh, delucis, and ematipico
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register) High
GHSA-v5w9-prxf-w882 was published for flowise (npm) Nov 17, 2025
ReeFSpeK ERANV-EVA
Credited to ReeFSpeK and ERANV-EVA
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message Moderate
CVE-2025-64758 was published for @dependencytrack/frontend (npm) Nov 17, 2025
jFriedli
Credited to jFriedli
glob CLI: Command injection via -c/--cmd executes matches with shell:true High
CVE-2025-64756 was published for glob (npm) Nov 17, 2025
Gyde04 aisle-research
G-Rath bchew qwilr-altonius llwslc EinfachHans skremiec AlanGreene isaacs
Credited to Gyde04, aisle-research, G-Rath, bchew, qwilr-altonius, llwslc, EinfachHans, skremiec, AlanGreene, and isaacs
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields High
GHSA-m8jr-fxqx-8xx6 was published for @apollo/composition (npm) Nov 14, 2025
dariuszkuc
Credited to dariuszkuc
Directus is Vulnerable to Stored Cross-site Scripting Moderate
CVE-2025-64747 was published for directus (npm) Nov 14, 2025
Cl0wnK1n9
Credited to Cl0wnK1n9
Directus has Improper Permission Handling on Deleted Fields Moderate
CVE-2025-64746 was published for directus (npm) Nov 14, 2025
beafn28
Credited to beafn28
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database