GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
24,775 advisories
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
High
CVE-2025-66035
was published
for
@angular/common
(npm)
Nov 26, 2025
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
Low
GHSA-wmjr-v86c-m9jj
was published
for
better-auth
(npm)
Nov 26, 2025
willitmerge has a Command Injection vulnerability
Moderate
GHSA-j9wj-m24m-7jj6
was published
for
willitmerge
(npm)
Nov 26, 2025
node-forge has ASN.1 Unbounded Recursion
High
CVE-2025-66031
was published
for
node-forge
(npm)
Nov 26, 2025
node-forge is vulnerable to ASN.1 OID Integer Truncation
Moderate
CVE-2025-66030
was published
for
node-forge
(npm)
Nov 26, 2025
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
High
CVE-2025-12816
was published
for
node-forge
(npm)
Nov 26, 2025
Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack
Critical
CVE-2025-62593
was published
for
ray
(pip)
Nov 26, 2025
Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
High
CVE-2025-66020
was published
for
valibot
(npm)
Nov 26, 2025
OneUptime Unauthorized User Creation via API
High
CVE-2025-65966
was published
for
@oneuptime/common
(npm)
Nov 26, 2025
REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]
Moderate
CVE-2025-66026
was published
for
redaxo/source
(Composer)
Nov 25, 2025
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
Moderate
CVE-2025-66028
was published
for
@oneuptime/common
(npm)
Nov 25, 2025
OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization
High
CVE-2025-66021
was published
for
com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer
(Maven)
Nov 25, 2025
Better Auth Passkey Plugin allows passkey deletion through IDOR
High
GHSA-4vcf-q4xf-f48m
was published
for
@better-auth/passkey
(npm)
Nov 25, 2025
Contao is vulnerable to cross-site scripting in templates
Low
CVE-2025-65961
was published
for
contao/core-bundle
(Composer)
Nov 25, 2025
Contao is vulnerable to remote code execution in template closures
Moderate
CVE-2025-65960
was published
for
contao/core-bundle
(Composer)
Nov 25, 2025
VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM
Low
CVE-2025-65942
was published
for
github.com/VictoriaMetrics/VictoriaMetrics
(Go)
Nov 25, 2025
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer
High
CVE-2025-62703
was published
for
fugue
(pip)
Nov 25, 2025
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
High
CVE-2025-58360
was published
for
org.geoserver.web:gs-web-app
(Maven)
Nov 25, 2025
GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format
Moderate
CVE-2025-21621
was published
for
org.geoserver.web:gs-web-app
(Maven)
Nov 25, 2025
ProTip!
Advisories are also available from the
GraphQL API