Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,894
Erlang
38
GitHub Actions
38
Go
2,558
Maven
5,000+
npm
4,232
NuGet
751
pip
4,001
Pub
12
RubyGems
953
Rust
1,042
Swift
45
Unreviewed advisories
All unreviewed
5,000+

8,435 advisories

Loading
Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes High
CVE-2025-59839 was published for starcitizenwiki/embedvideo (Composer) Sep 24, 2025
SomeMWDev
Credited to SomeMWDev
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions High
CVE-2025-59828 was published for @anthropic-ai/claude-code (npm) Sep 24, 2025
cai0duque
Credited to cai0duque
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball High
CVE-2025-59343 was published for tar-fs (npm) Sep 24, 2025
lukaselmer cai0duque
Credited to lukaselmer and cai0duque
messageformat prototype pollution vulnerability High
CVE-2025-57353 was published for @messageformat/runtime (npm) Sep 24, 2025
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink High
CVE-2025-59430 was published for @meshconnect/web-link-sdk (npm) Sep 22, 2025
aptos-security zwxxb
zi0Black
Credited to aptos-security, zwxxb, and zi0Black
`git-comiters` Command Injection vulnerability High
CVE-2025-59831 was published for git-commiters (npm) Sep 22, 2025
lirantal
Credited to lirantal
Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass) High
CVE-2025-59420 was published for authlib (pip) Sep 22, 2025
AL-Cybision
Credited to AL-Cybision
Mattermost Path Traversal vulnerability High
CVE-2025-9079 was published for github.com/mattermost/mattermost-server (Go) Sep 19, 2025
The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded. High
CVE-2025-9905 was published for keras (pip) Sep 19, 2025
io-no
Credited to io-no
Codex has sandbox bypass due to bug in path configuration logic High
CVE-2025-59532 was published for @openai/codex (npm) Sep 19, 2025
Keras is vulnerable to Deserialization of Untrusted Data High
CVE-2025-9906 was published for keras (pip) Sep 19, 2025
cai0duque
Credited to cai0duque
Duplicate Advisory: The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded. High
GHSA-77wq-646f-jrm2 was published for keras (pip) Sep 19, 2025 withdrawn
Pingora update for MadeYouReset HTTP/2 vulnerability High
GHSA-393w-9x6h-8gc7 was published for pingora-core (Rust) Sep 17, 2025
galbarnahum
Credited to galbarnahum
DragonFly's manager generates mTLS certificates for arbitrary IP addresses High
CVE-2025-59353 was published for d7y.io/dragonfly/v2 (Go) Sep 17, 2025
gaius-qi
Credited to gaius-qi
Dragonfly vulnerable to server-side request forgery High
CVE-2025-59346 was published for d7y.io/dragonfly/v2 (Go) Sep 17, 2025
gaius-qi
Credited to gaius-qi
Dragonfly doesn't have authentication enabled for some Manager’s endpoints High
CVE-2025-59345 was published for d7y.io/dragonfly/v2 (Go) Sep 17, 2025
gaius-qi
Credited to gaius-qi
esm.sh has File Inclusion issue High
CVE-2025-59341 was published for github.com/esm-dev/esm.sh (Go) Sep 17, 2025
j3ssie
Credited to j3ssie
@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode High
CVE-2025-59333 was published for @executeautomation/database-server (npm) Sep 16, 2025
lirantal
Credited to lirantal
Podman Creates Temporary File with Insecure Permissions High
CVE-2025-4953 was published for github.com/containers/podman/v5 (Go) Sep 16, 2025
Spring Framework annotation detection mechanism may result in improper authorization High
CVE-2025-41249 was published for org.springframework:spring-core (Maven) Sep 16, 2025
Spring Security annotation detection mechanism has authorization bypass High
CVE-2025-41248 was published for org.springframework.security:spring-security-core (Maven) Sep 16, 2025
[email protected] contains malware after npm account takeover High
CVE-2025-59331 was published for is-arrayish (npm) Sep 15, 2025
[email protected] contains malware after npm account takeover High
CVE-2025-59330 was published for error-ex (npm) Sep 15, 2025
[email protected] contains malware after npm account takeover High
CVE-2025-59162 was published for color-convert (npm) Sep 15, 2025
[email protected] contains malware after npm account takeover High
CVE-2025-59145 was published for color-name (npm) Sep 15, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database