Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,740
Maven
5,000+
npm
4,338
NuGet
765
pip
4,112
Pub
12
RubyGems
960
Rust
1,068
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,977 advisories

Loading
Ibexa User Bundle is missing password change validation Critical
GHSA-x93p-w2ch-fg67 was published for ibexa/user (Composer) Dec 10, 2025
Zitadel Discloses the Total Number of Instance Users Moderate
GHSA-f4cf-9rvr-2rcx was published for github.com/zitadel/zitadel (Go) Dec 10, 2025
IAM-marco livio-a
Credited to IAM-marco and livio-a
Miniflux has an Open Redirect via protocol-relative redirect_url Low
GHSA-wqv2-4wpg-8hc9 was published for miniflux.app/v2 (Go) Dec 10, 2025
satoki
Credited to satoki
ImageMagick is vulnerable to an integer Overflow in TIM decoder leading to out of bounds read (32-bit only) High
CVE-2025-66628 was published for Magick.NET-Q16-AnyCPU (NuGet) Dec 10, 2025
Sumitshah00
Credited to Sumitshah00
XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection High
CVE-2025-66474 was published for org.xwiki.rendering:xwiki-rendering-xml (Maven) Dec 10, 2025
XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis High
CVE-2025-66473 was published for org.xwiki.platform:xwiki-platform-rest-server (Maven) Dec 10, 2025
XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication Moderate
CVE-2025-66472 was published for org.xwiki.platform:xwiki-platform-flamingo-skin-resources (Maven) Dec 10, 2025
4rdr
Credited to 4rdr
Gogs vulnerable to a bypass of CVE-2024-55947 High
CVE-2025-8110 was published for gogs.io/gogs (Go) Dec 10, 2025
Apache Struts has a Denial of Service vulnerability High
CVE-2025-66675 was published for org.apache.struts:struts2-core (Maven) Dec 10, 2025
Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions Low
CVE-2025-14082 was published for org.keycloak:keycloak-services (Maven) Dec 10, 2025
Fetch MCP Server has a Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2025-65513 was published for mcp-fetch-server (npm) Dec 10, 2025
LangGraph's SQLite is vulnerable to SQL injection via metadata filter key in SQLite checkpointer list method High
CVE-2025-67644 was published for langgraph-checkpoint-sqlite (pip) Dec 10, 2025
VladimirEliTokarev yardenporat353
Credited to VladimirEliTokarev and yardenporat353
OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs Moderate
GHSA-mjcp-gpgx-ggcg was published for github.com/opentofu/opentofu (Go) Dec 9, 2025
Cybersecurity AI (CAI) vulnerable to Command Injection in run_ssh_command_with_credentials Agent tool Critical
CVE-2025-67511 was published for cai-framework (pip) Dec 9, 2025
edoardottt
Credited to edoardottt
@tiptap/extension-link vulnerable to Cross-site Scripting (XSS) Low
CVE-2025-14284 was published for @tiptap/extension-link (npm) Dec 9, 2025
Robocode has an insecure temporary file creation vulnerability in the AutoExtract component Critical
CVE-2025-14307 was published for net.sf.robocode:robocode.battle (Maven) Dec 9, 2025
Robocode vulnerable to Directory Traversal in recursivelyDelete Method Critical
CVE-2025-14306 was published for net.sf.robocode:robocode.core (Maven) Dec 9, 2025
Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments Moderate
CVE-2025-13877 was published for @nocobase/auth (npm) Dec 9, 2025
H2u8s
Credited to H2u8s
Shopware Storefront Reflected XSS in Storefront Login Page High
GHSA-6w82-v552-wjw2 was published for shopware/shopware (Composer) Dec 9, 2025
tbrankaer NielDuysters
Credited to tbrankaer and NielDuysters
SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475 Critical
GHSA-5j8p-438x-rgg5 was published for onelogin/php-saml (Composer) Dec 9, 2025
d0ge
Credited to d0ge
JDA (Java Discord API) downloads external URLs when updating message components Moderate
GHSA-93fv-4pm9-xp28 was published for net.dv8tion:JDA (Maven) Dec 9, 2025
Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”) Critical
CVE-2025-67510 was published for neuron-core/neuron-ai (Composer) Dec 9, 2025
siewer
Credited to siewer
Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE) High
CVE-2025-67509 was published for neuron-core/neuron-ai (Composer) Dec 9, 2025
siewer
Credited to siewer
Filament multi-factor authentication (app) recovery codes can be used multiple times High
CVE-2025-67507 was published for filament/filament (Composer) Dec 9, 2025
JaZo danharrin
Credited to JaZo and danharrin
CNA Plugins Portmap nftables backend can intercept non-local traffic Moderate
CVE-2025-67499 was published for github.com/containernetworking/plugins (Go) Dec 9, 2025
agusdallalba champtar
Credited to agusdallalba and champtar
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database