Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,640
Maven
5,000+
npm
4,265
NuGet
760
pip
4,061
Pub
12
RubyGems
956
Rust
1,057
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,620 advisories

Loading
Incus vulnerable to local privilege escalation through custom storage volumes High
CVE-2025-64507 was published for github.com/lxc/incus (Go) Nov 13, 2025
abdodz1234 stgraber
Credited to abdodz1234 and stgraber
Milvus Proxy has a Critical Authentication Bypass Vulnerability Critical
CVE-2025-64513 was published for github.com/milvus-io/milvus (Go) Nov 13, 2025
sudo-rs doesn't record authenticating user properly in timestamp Moderate
CVE-2025-64517 was published for sudo-rs (Rust) Nov 13, 2025
Pingasmaster bjorn3
squell
Credited to Pingasmaster, bjorn3, and squell
pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode Critical
CVE-2025-12762 was published for pgadmin4 (pip) Nov 13, 2025
jonbally
Credited to jonbally
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU) High
CVE-2025-64509 was published for bugsink (pip) Nov 13, 2025
Cycloctane
Credited to Cycloctane
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input High
CVE-2025-64508 was published for bugsink (pip) Nov 13, 2025
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details Moderate
CVE-2025-64502 was published for parse-server (npm) Nov 13, 2025
mtrezza coratgerl
mstniy
Credited to mtrezza, coratgerl, and mstniy
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass High
CVE-2025-64500 was published for symfony/http-foundation (Composer) Nov 12, 2025
cs278 nicolas-grekas
Credited to cs278 and nicolas-grekas
Evervault Go SDK: Incomplete PCR Validation in Enclave Attestation for non-Evervault hosted Enclaves High
CVE-2025-64186 was published for github.com/evervault/evervault-go (Go) Nov 12, 2025
JoranHonig
Credited to JoranHonig
OAuth2-Proxy is vulnerable to header smuggling via underscore leading to potential privilege escalation High
CVE-2025-64484 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Nov 12, 2025
47Cid
Credited to 47Cid
Wasmtime provides unsound API access to a WebAssembly shared linear memory Low
CVE-2025-64345 was published for wasmtime (Rust) Nov 12, 2025
sudo-rs: Partial password reveal is possible after timeout Low
CVE-2025-64170 was published for sudo-rs (Rust) Nov 12, 2025
DevLaTron bjorn3
MggMuggins squell
Credited to DevLaTron, bjorn3, MggMuggins, and squell
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed High
CVE-2025-64099 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Nov 12, 2025
Jean-Eudes
Credited to Jean-Eudes
changedetection.io: Stored XSS in Watch update via API Low
CVE-2025-62780 was published for changedetection.io (pip) Nov 12, 2025
edoardottt
Credited to edoardottt
Soft Serve is vulnerable to SSRF through its Webhooks Critical
CVE-2025-64522 was published for github.com/charmbracelet/soft-serve (Go) Nov 10, 2025
Tomer-PL caarlos0
Credited to Tomer-PL and caarlos0
TorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topic_id parameter High
CVE-2025-64519 was published for torrentpier/torrentpier (Composer) Nov 10, 2025
XY20130630
Credited to XY20130630
CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection High
CVE-2025-64518 was published for org.cyclonedx:cyclonedx-core-java (Maven) Nov 10, 2025
nscuro BrightKn1ght
Credited to nscuro and BrightKn1ght
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand High
CVE-2025-12613 was published for cloudinary (npm) Nov 10, 2025
EverShop is vulnerable to Unauthorized Order Information Access (IDOR) Low
CVE-2025-12919 was published for @evershop/evershop (npm) Nov 9, 2025
Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
GHSA-vfpf-xmwh-8m65 was published for prosemirror_to_html (RubyGems) Nov 7, 2025 withdrawn
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc High
GHSA-f83h-ghpp-7wcc was published for pdfminer.six (pip) Nov 7, 2025
sumanrox
Credited to sumanrox
Arbitrary Code Execution in pdfminer.six via Crafted PDF Input High
GHSA-wf5f-4jwr-ppcp was published for pdfminer.six (pip) Nov 7, 2025
mtolley
Credited to mtolley
KubeVirt Vulnerable to Arbitrary Host File Read and Write High
CVE-2025-64324 was published for github.com/kubevirt/kubevirt (Go) Nov 7, 2025
mihailkirov Faeris95
jean-edouard
Credited to mihailkirov, Faeris95, and jean-edouard
AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64 Moderate
CVE-2025-57697 was published for AstrBot (pip) Nov 7, 2025
AstrBot contains a directory traversal vulnerability High
CVE-2025-57698 was published for AstrBot (pip) Nov 7, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database