Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,670
Maven
5,000+
npm
4,296
NuGet
760
pip
4,075
Pub
12
RubyGems
957
Rust
1,058
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,130 advisories

Loading
Mattermost allows system administrators to access password hashes and MFA secrets Moderate
CVE-2025-11794 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
KubeVirt Vulnerable to Arbitrary Host File Read and Write High
CVE-2025-64324 was published for kubevirt.io/kubevirt (Go) Nov 7, 2025
mihailkirov Faeris95
jean-edouard
Credited to mihailkirov, Faeris95, and jean-edouard
lakeFS affected by unauthenticated access to API usage metrics Moderate
CVE-2025-64179 was published for github.com/treeverse/lakefs (Go) Nov 3, 2025
arielshaqed nopcoder
Credited to arielshaqed and nopcoder
NextAuthjs Email misdelivery Vulnerability Moderate
GHSA-5jpx-9hw9-2fx4 was published for next-auth (npm) Oct 29, 2025
rootxjs
Credited to rootxjs
BBOT's gitlab.py exposes globally configured "gitlab" API key Moderate
CVE-2025-10282 was published for bbot (pip) Oct 27, 2025
justinsteven
Credited to justinsteven
Moodle exposed the names of hidden groups to users Moderate
CVE-2025-62400 was published for moodle/moodle (Composer) Oct 23, 2025
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration Moderate
CVE-2025-53092 was published for @strapi/core (npm) Oct 16, 2025
ghostvirus62 derrickmehaffy
alexandrebodin innerdvations
Credited to ghostvirus62, derrickmehaffy, alexandrebodin, and innerdvations
Omni vulnerable to information leak via API High
CVE-2025-61688 was published for github.com/siderolabs/omni (Go) Oct 13, 2025
utkuozdemir
Credited to utkuozdemir
Rack has a Possible Information Disclosure Vulnerability Moderate
CVE-2025-61780 was published for rack (RubyGems) Oct 10, 2025
leahneukirchen jeremyevans
matthewd ioquatix
Credited to leahneukirchen, jeremyevans, matthewd, and ioquatix
BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver Moderate
CVE-2025-10281 was published for bbot (pip) Oct 9, 2025
justinsteven liquidsec
Credited to justinsteven and liquidsec
Canonical LXD Project Existence Determination Through Error Handling in Image Export Function Moderate
CVE-2025-54290 was published for github.com/canonical/lxd (Go) Oct 2, 2025
FormCMS has an improper access control vulnerability in the /api/schemas/history/[schemaId] endpoint Moderate
CVE-2025-55797 was published for FormCMS (NuGet) Sep 30, 2025
OpenMLS improper persistence of the secret tree during message processing Moderate
GHSA-qr9h-x63w-vqfm was published for openmls (Rust) Sep 26, 2025
erdoganege fatihergin
Credited to erdoganege and fatihergin
Rancher sends sensitive information to external services through the `/meta/proxy` endpoint Moderate
CVE-2025-54468 was published for github.com/rancher/rancher (Go) Sep 26, 2025
ml-logger file handler allows reading arbitrary files Moderate
CVE-2025-10952 was published for ml-logger (pip) Sep 25, 2025
WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled High
CVE-2025-54376 was published for github.com/SpectoLabs/hoverfly (Go) Sep 10, 2025
Kr1shna4garwal
Credited to Kr1shna4garwal
Vite middleware may serve files starting with the same name with the public directory Low
CVE-2025-58751 was published for vite (npm) Sep 9, 2025
orihjfrog lukeed
Credited to orihjfrog and lukeed
Vite's `server.fs` settings were not applied to HTML files Low
CVE-2025-58752 was published for vite (npm) Sep 9, 2025
orihjfrog dominikg
Credited to orihjfrog and dominikg
TYPO3 Workspaces Module Information Disclosure High
CVE-2025-59018 was published for typo3/cms-workspaces (Composer) Sep 9, 2025
TYPO3 CSV download feature information disclosure Moderate
CVE-2025-59019 was published for typo3/cms-backend (Composer) Sep 9, 2025
Atlantis Exposes Service Version Publicly on /status API Endpoint Low
CVE-2025-58445 was published for github.com/runatlantis/atlantis (Go) Sep 5, 2025
matthewmrichter
Credited to matthewmrichter
Argo CD's Project API Token Exposes Repository Credentials Critical
CVE-2025-55190 was published for github.com/argoproj/argo-cd/v2 (Go) Sep 4, 2025
ntammineni5 34fathombelow
alexmt jannfis crenshaw-dev svghadi
Credited to ntammineni5, 34fathombelow, alexmt, jannfis, crenshaw-dev, and svghadi
Langchain Community Vulnerable to XML External Entity (XXE) Attacks High
CVE-2025-6984 was published for langchain-community (pip) Sep 4, 2025
Jenkins Git client Plugin file system information disclosure vulnerability Moderate
CVE-2025-58458 was published for org.jenkins-ci.plugins:git-client (Maven) Sep 3, 2025
Valtimo scripting engine can be used to gain access to sensitive data or resources Critical
CVE-2025-58059 was published for com.ritense.valtimo:core (Maven) Aug 28, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database