GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,469 advisories
check-branches is vulnerable to command Injection
Critical
CVE-2025-11148
was published
for
check-branches
(npm)
Sep 30, 2025
j178/prek-action vulnerable to arbitrary code injection in composite action
Critical
GHSA-pwf7-47c3-mfhx
was published
for
j178/prek-action
(GitHub Actions)
Sep 29, 2025
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass
Critical
CVE-2025-59936
was published
for
get-jwks
(npm)
Sep 26, 2025
Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning
Critical
CVE-2025-59823
was published
for
github.com/gardener/gardener-extension-provider-aws
(Go)
Sep 25, 2025
Command Injection in adb-mcp MCP Server
Critical
CVE-2025-59834
was published
for
adb-mcp
(npm)
Sep 24, 2025
Apache IoTDB: Deserialization of untrusted Data
Critical
CVE-2025-48459
was published
for
org.apache.iotdb:iotdb-confignode
(Maven)
Sep 24, 2025
DNN Vulnerable to Stored Cross-Site Scripting (XSS) in the Prompt module
Critical
CVE-2025-59545
was published
for
DotNetNuke.Core
(NuGet)
Sep 23, 2025
InvokeAI has External Control of File Name or Path
Critical
CVE-2025-6237
was published
for
invokeai
(pip)
Sep 18, 2025
jinjava has Sandbox Bypass via JavaType-Based Deserialization
Critical
CVE-2025-59340
was published
for
com.hubspot.jinjava:jinjava
(Maven)
Sep 17, 2025
Flowise has arbitrary file access due to missing chat flow id validation
Critical
GHSA-q67q-549q-p849
was published
for
flowise
(npm)
Sep 15, 2025
Flowise has an Arbitrary File Read
Critical
GHSA-99pg-hqvx-r4gf
was published
for
flowise
(npm)
Sep 15, 2025
Flowise has Remote Code Execution vulnerability
Critical
CVE-2025-59528
was published
for
flowise
(npm)
Sep 15, 2025
FlowiseAI Pre-Auth Arbitrary Code Execution
Critical
CVE-2025-57164
was published
for
flowise
(npm)
Sep 15, 2025
mcp-kubernetes-server has an OS Command Injection vulnerability
Critical
CVE-2025-59377
was published
for
mcp-kubernetes-server
(pip)
Sep 15, 2025
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
Critical
CVE-2025-58434
was published
for
flowise
(npm)
Sep 12, 2025
ProTip!
Advisories are also available from the
GraphQL API