GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
24,763 advisories
Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack
Critical
CVE-2025-62593
was published
for
ray
(pip)
Nov 26, 2025
Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
High
CVE-2025-66020
was published
for
valibot
(npm)
Nov 26, 2025
OneUptime Unauthorized User Creation via API
High
CVE-2025-65966
was published
for
@oneuptime/common
(npm)
Nov 26, 2025
REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]
Moderate
CVE-2025-66026
was published
for
redaxo/source
(Composer)
Nov 25, 2025
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
Moderate
GHSA-675q-66gf-gqg8
was published
for
@oneuptime/common
(npm)
Nov 25, 2025
OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization
High
CVE-2025-66021
was published
for
com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer
(Maven)
Nov 25, 2025
Better Auth Passkey Plugin allows passkey deletion through IDOR
High
GHSA-4vcf-q4xf-f48m
was published
for
@better-auth/passkey
(npm)
Nov 25, 2025
Contao is vulnerable to cross-site scripting in templates
Low
CVE-2025-65961
was published
for
contao/core-bundle
(Composer)
Nov 25, 2025
Contao is vulnerable to remote code execution in template closures
Moderate
CVE-2025-65960
was published
for
contao/core-bundle
(Composer)
Nov 25, 2025
VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM
Low
CVE-2025-65942
was published
for
github.com/VictoriaMetrics/VictoriaMetrics
(Go)
Nov 25, 2025
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer
High
CVE-2025-62703
was published
for
fugue
(pip)
Nov 25, 2025
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
High
CVE-2025-58360
was published
for
org.geoserver.web:gs-web-app
(Maven)
Nov 25, 2025
GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format
Moderate
CVE-2025-21621
was published
for
org.geoserver.web:gs-web-app
(Maven)
Nov 25, 2025
body-parser is vulnerable to denial of service when url encoding is used
Moderate
CVE-2025-13466
was published
for
body-parser
(npm)
Nov 25, 2025
LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction
Critical
GHSA-rj4j-2jph-gg43
was published
for
github.com/lf-edge/ekuiper/v2
(Go)
Nov 24, 2025
pypdf's LZWDecode streams be manipulated to exhaust RAM
Moderate
GHSA-m449-cwjh-6pw7
was published
for
pypdf
(pip)
Nov 24, 2025
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
Moderate
CVE-2025-65956
was published
for
getformwork/formwork
(Composer)
Nov 24, 2025
ProTip!
Advisories are also available from the
GraphQL API