Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,781
Maven
5,000+
npm
4,390
NuGet
772
pip
4,164
Pub
12
RubyGems
965
Rust
1,073
Swift
45
Unreviewed advisories
All unreviewed
5,000+

25,186 advisories

Loading
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package High
CVE-2025-68619 was published for signalk-server (npm) Jan 2, 2026
atsc11
Credited to atsc11
Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints Moderate
CVE-2025-68273 was published for signalk-server (npm) Jan 2, 2026
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding High
CVE-2025-68272 was published for signalk-server (npm) Jan 2, 2026
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) Critical
CVE-2025-66398 was published for signalk-server (npm) Jan 2, 2026
Trix has a stored XSS vulnerability through its attachment attribute Moderate
GHSA-g9jg-w8vm-g96v was published for action_text-trix (RubyGems) Dec 31, 2025
serverless MCP Server vulnerable to Command Injection in list-projects tool High
CVE-2025-69256 was published for serverless (npm) Dec 31, 2025
dellalibera
Credited to dellalibera
CBORDecoder reuse can leak shareable values across decode calls Moderate
CVE-2025-68131 was published for cbor2 (pip) Dec 31, 2025
andreer
Credited to andreer
theshit vulnerable to unsafe loading of user-owned Python rules when running as root High
CVE-2025-69257 was published for theshit (Rust) Dec 30, 2025
AsfhtgkDavid
Credited to AsfhtgkDavid
ImageMagick's failure to limit MVG mutual causes Stack Overflow Moderate
CVE-2025-68950 was published for Magick.NET-Q16-AnyCPU (NuGet) Dec 30, 2025
ylwango613
Credited to ylwango613
RustFS has a gRPC Hardcoded Token Authentication Bypass Critical
CVE-2025-68926 was published for rustfs (Rust) Dec 30, 2025
ImageMagick's failure to limit the depth of SVG file reads caused a DoS attack Moderate
CVE-2025-68618 was published for Magick.NET-Q16-AnyCPU (NuGet) Dec 30, 2025
ylwango613
Credited to ylwango613
Temporal has a namespace policy bypass allowing requests to be authorized for incorrect contexts Low
CVE-2025-14986 was published for go.temporal.io/server (Go) Dec 30, 2025
URI Credential Leakage Bypass over CVE-2025-27221 Low
CVE-2025-61594 was published for uri (RubyGems) Dec 30, 2025
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion High
CVE-2025-15284 was published for qs (npm) Dec 30, 2025
samipmainali ljharb
Credited to samipmainali and ljharb
FacturaScripts is Vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload High
CVE-2025-69210 was published for facturascripts/facturascripts (Composer) Dec 30, 2025
vettrivel007
Credited to vettrivel007
YOURLS is vulnerable to XSS through JSONP and Callback request parameters High
GHSA-6mp4-q625-mxjp was published for yourls/yourls (Composer) Dec 30, 2025
DenizParlak
Credited to DenizParlak
PsiTransfer has Zip Slip Path Traversal via TAR Archive Download High
GHSA-xphh-5v4r-r3rx was published for psitransfer (npm) Dec 30, 2025
DenizParlak
Credited to DenizParlak
Composer is vulnerable to ANSI sequence injection Low
CVE-2025-67746 was published for composer/composer (Composer) Dec 30, 2025
cs278
Credited to cs278
axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header Moderate
CVE-2025-69202 was published for axios-cache-interceptor (npm) Dec 30, 2025
kishore03109 arthurfiorette
Credited to kishore03109 and arthurfiorette
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU) Moderate
CVE-2025-69211 was published for @nestjs/platform-fastify (npm) Dec 30, 2025
phpMyFAQ has unauthenticated config backup download via /api/setup/backup High
CVE-2025-69200 was published for thorsten/phpmyfaq (Composer) Dec 30, 2025
eclipse07077-ljw
Credited to eclipse07077-ljw
Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.attrgetter High
GHSA-46h3-79wf-xr6c was published for picklescan (pip) Dec 30, 2025
CoolwindHF
Credited to CoolwindHF
Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.methodcaller High
GHSA-955r-x9j8-7rhh was published for picklescan (pip) Dec 30, 2025
CoolwindHF
Credited to CoolwindHF
Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length Moderate
GHSA-6556-fwc2-fg2p was published for picklescan (pip) Dec 30, 2025
ac0d3r Lyutoon
Credited to ac0d3r and Lyutoon
Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef High
GHSA-rrxm-2pvv-m66x was published for picklescan (pip) Dec 30, 2025
ac0d3r Lyutoon
Credited to ac0d3r and Lyutoon
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database