Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,827
Erlang
36
GitHub Actions
32
Go
2,441
Maven
5,000+
npm
4,061
NuGet
723
pip
3,859
Pub
12
RubyGems
941
Rust
1,007
Swift
38
Unreviewed advisories
All unreviewed
5,000+

1,277 advisories

Loading
Regular Expression Denial of Service (ReDoS) in lodash Moderate
CVE-2020-28500 was published for lodash (RubyGems) Jan 6, 2022
mitchell-codecov nitaiapiiro
DmitriyLewen jkmartindale G-Rath
Prototype Pollution in lodash Moderate
CVE-2018-3721 was published for lodash (RubyGems) Jul 26, 2018
G-Rath
Regular Expression Denial of Service (ReDoS) in lodash Moderate
CVE-2019-1010266 was published for lodash (RubyGems) Jul 19, 2019
mitchell-codecov G-Rath
Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers Moderate
CVE-2025-55152 was published for @oakserver/oak (npm) Aug 12, 2025
dellalibera
Astros's duplicate trailing slash feature leads to an open redirection security issue Moderate
CVE-2025-54793 was published for astro (npm) Aug 7, 2025
ghiyastfarisi ascorbic
ematipico
The Thinbus Javascript Secure Remote Password (SRP) Client Generates Fewer Bits of Entropy Than Intended Moderate
CVE-2025-54885 was published for thinbus-srp (npm) Aug 6, 2025
SvenSchindler
Uptime Kuma's Regular Expression in pushdeeer and whapi file Leads to ReDoS Vulnerability Due to Catastrophic Backtracking Moderate
CVE-2025-26042 was published for uptime-kuma (npm) Mar 31, 2025
ShiyuBanzhou
Duplicate Advisory: Uptime Kuma ReDoS vulnerability Moderate
GHSA-3rw8-4xrq-3f7p was published for uptime-kuma (npm) Mar 17, 2025 withdrawn
marcschaeferger
IPX Allows Path Traversal via Prefix Matching Bypass Moderate
CVE-2025-54387 was published for ipx (npm) Aug 4, 2025
dellalibera
webfinger.js Blind SSRF Vulnerability Moderate
CVE-2025-54590 was published for webfinger.js (npm) Jul 28, 2025
orihjfrog silverbucket
@cloudflare/workers-oauth-provider missing validation of redirect_uri on authorize endpoint Moderate
CVE-2025-4143 was published for @cloudflare/workers-oauth-provider (npm) May 1, 2025
Angular (deprecated package) Cross-site Scripting Moderate
CVE-2022-25869 was published for angular (npm) Jul 16, 2022
Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo Moderate
CVE-2024-21548 was published for bun (npm) Dec 18, 2024
lirantal
HAX CMS application pages vulnerable to clickjacking Moderate
CVE-2025-54139 was published for @haxtheweb/haxcms-nodejs (Composer) Jul 21, 2025
lfgberg odransfield
pubnub Insufficient Entropy vulnerability Moderate
CVE-2023-26154 was published for Pubnub (RubyGems) Dec 6, 2023
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability Moderate
CVE-2024-35255 was published for @azure/identity (Go) Jun 11, 2024
scottaddie localden
jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label Moderate
CVE-2022-31160 was published for jQuery.UI.Combined (RubyGems) Jul 18, 2022
Elkano c960657
Borzik
OpenZeppelin Contracts Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers Moderate
CVE-2025-54070 was published for @openzeppelin/contracts (npm) Jul 17, 2025
vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes Moderate
CVE-2025-53892 was published for @intlify/core (npm) Jul 16, 2025
luoingly
DiracX-Web is vulnerable to attack through an Open Redirect on its login page Moderate
CVE-2025-54066 was published for @dirac-grid/diracx-web-components (npm) Jul 17, 2025
Robin-Van-de-Merghel
Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows Moderate
CVE-2025-53889 was published for directus (npm) Jul 15, 2025
licitdev
Directus' exact version number is exposed by the OpenAPI Spec Moderate
CVE-2025-53887 was published for directus (npm) Jul 15, 2025
br41nslug
Directus tokens are not redacted in flow logs, exposing session credentials to all admin Moderate
CVE-2025-53886 was published for directus (npm) Jul 15, 2025
licitdev
Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged Moderate
CVE-2025-53885 was published for directus (npm) Jul 15, 2025
Better Call routing bug can lead to Cache Deception Moderate
GHSA-hq75-xg7r-rx6c was published for better-call (npm) Jul 11, 2025
mwlik
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database