Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,750
Maven
5,000+
npm
4,356
NuGet
765
pip
4,120
Pub
12
RubyGems
960
Rust
1,069
Swift
45
Unreviewed advisories
All unreviewed
5,000+

25,038 advisories

Loading
Fickling has Code Injection vulnerability via pty.spawn() High
CVE-2025-67748 was published for fickling (pip) Dec 15, 2025
Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list High
CVE-2025-67747 was published for fickling (pip) Dec 15, 2025
0x00nier
Credited to 0x00nier
Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder Moderate
CVE-2025-67735 was published for io.netty:netty-codec-http (Maven) Dec 15, 2025
vietj nakyamad
Credited to vietj and nakyamad
Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR) Moderate
CVE-2025-67715 was published for Weblate (pip) Dec 15, 2025
naxus-audit nijel
Credited to naxus-audit and nijel
Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration Moderate
CVE-2025-67492 was published for Weblate (pip) Dec 15, 2025
naxus-audit nijel
Credited to naxus-audit and nijel
LikeC4 has RCE through vulnerable React and Next.js versions Critical
GHSA-vr6p-vq2p-6j74 was published for likec4 (npm) Dec 15, 2025
fnuttens
Credited to fnuttens
Misskey has a login rate limit bypass via spoofed X-Forwarded-For header Moderate
CVE-2025-66482 was published for misskey-js (npm) Dec 15, 2025
BoBeR182 saschanaz
Credited to BoBeR182 and saschanaz
misskey.js's export data contains private post data High
CVE-2025-66402 was published for misskey-js (npm) Dec 15, 2025
na2204 samunohito
Credited to na2204 and samunohito
Weblate has improper validation upon invitation acceptance Low
CVE-2025-64725 was published for Weblate (pip) Dec 15, 2025
Universal Tool Calling Protocol (UTCP) client library for Python vulnerable to Trust Boundary Violation through Manual JSON specification High
CVE-2025-14542 was published for utcp (pip) Dec 13, 2025
aircompressor Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer High
CVE-2025-67721 was published for io.airlift:aircompressor-v3 (Maven) Dec 12, 2025
kyakdan
Credited to kyakdan
Vuetify has a Cross-site Scripting (XSS) vulnerability in the VDatePicker component Moderate
CVE-2025-8082 was published for vuetify (npm) Dec 12, 2025
Vuetify has a Prototype Pollution vulnerability High
CVE-2025-8083 was published for vuetify (npm) Dec 12, 2025
Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations High
CVE-2025-3586 was published for com.liferay:com.liferay.object.service (Maven) Dec 12, 2025
Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule High
CVE-2025-67750 was published for lightning-flow-scanner (npm) Dec 12, 2025
RubenHalman
Credited to RubenHalman
Finality Provider vulnerable to anti-slashing bypassing due to misconfiguration High
GHSA-4jmp-x7mh-rgmr was published for github.com/babylonlabs-io/finality-provider (Go) Dec 12, 2025
NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM) High
CVE-2025-66001 was published for github.com/neuvector/neuvector (Go) Dec 12, 2025
Weaviate OSS has a Path Traversal Vulnerability via Backup ZipSlip High
CVE-2025-67818 was published for github.com/weaviate/weaviate (Go) Dec 12, 2025
Weaviate OSS has path traversal vulnerability via the Shard Movement API High
CVE-2025-67819 was published for github.com/weaviate/weaviate (Go) Dec 12, 2025
MineAdmin has an insecure default password Critical
CVE-2025-65854 was published for mineadmin/mineadmin (Composer) Dec 12, 2025
Apache StreamPark: Use the user’s password as the secret key Vulnerability High
CVE-2025-53960 was published for org.apache.streampark:streampark (Maven) Dec 12, 2025
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up High
GHSA-5j59-xgg2-r9c4 was published for next (npm) Dec 12, 2025
Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components Moderate
GHSA-c6m7-q6pr-c64r was published for @vitejs/plugin-rsc (npm) Dec 12, 2025
Vite Plugin React has a Denial of Service Vulnerability in React Server Components High
GHSA-cpqf-f22c-r95x was published for @vitejs/plugin-rsc (npm) Dec 12, 2025
Denial of Service Vulnerability in React Server Components High
CVE-2025-67779 was published for react-server-dom-parcel (npm) Dec 12, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database