Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,683
Erlang
34
GitHub Actions
26
Go
2,268
Maven
5,000+
npm
3,925
NuGet
705
pip
3,691
Pub
12
RubyGems
916
Rust
946
Swift
38
Unreviewed advisories
All unreviewed
5,000+

22,448 advisories

Loading
Langroid Allows XXE Injection via XMLToolMessage High
CVE-2025-46726 was published for langroid (pip) May 5, 2025
SCH227
league/commonmark contains a XSS vulnerability in Attributes extension Moderate
CVE-2025-46734 was published for league/commonmark (Composer) May 5, 2025
TRIKKSS
OpenVM allows the byte decomposition of pc in AUIPC chip to overflow High
CVE-2025-46723 was published for openvm (Rust) May 5, 2025
jonathanpwang
Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI High
CVE-2025-46731 was published for craftcms/cms (Composer) May 5, 2025
singetu0096
Mobile Security Framework (MobSF) Allows Web Server Resource Exhaustion via ZIP of Death Attack Moderate
CVE-2025-46730 was published for mobsf (pip) May 5, 2025
ssshah2131
Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields Low
CVE-2025-46720 was published for @keystone-6/core (npm) May 5, 2025
emmatown dcousens
Browser Use allows bypassing `allowed_domains` by putting a decoy domain in http auth username portion of a URL Critical
CVE-2025-47241 was published for browser-use (pip) May 5, 2025
mmudryi markiyanch
@misskey-dev/summaly Redirect Filter Bypass Low
CVE-2025-46553 was published for @misskey-dev/summaly (npm) May 5, 2025
warriordog
Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload Moderate
CVE-2025-46335 was published for mobsf (pip) May 5, 2025
ssshah2131
October CMS Allows Unprotected SVG Rename in Media Manager Low
CVE-2024-51991 was published for october/october (Composer) May 5, 2025
WSO2 API Manager XML External Entity (XXE) vulnerability Critical
CVE-2025-2905 was published for org.wso2.am:am-distribution-parent (Maven) May 5, 2025
Duplicate Advisory: `allowed_domains` can be bypassed by putting a decoy domain in http auth username portion of a URL Critical
GHSA-f54f-hr32-586f was published for browser-use (pip) May 3, 2025 withdrawn
obfstr Type Confusion vulnerability Low
CVE-2024-58253 was published for obfstr (Rust) May 2, 2025
Grokability Snipe-IT has incorrect authorization for accessing asset information Moderate
CVE-2025-47226 was published for snipe/snipe-it (Composer) May 2, 2025
Information Disclosure via Flags override link Moderate
CVE-2025-46332 was published for @vercel/flags (npm) May 2, 2025
Hashicorp Vault Community vulnerable to Incorrect Authorization Moderate
CVE-2025-3879 was published for github.com/hashicorp/vault (Go) May 2, 2025
Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information Moderate
CVE-2025-4166 was published for github.com/hashicorp/vault (Go) May 2, 2025
OPA server Data API HTTP path injection of Rego High
CVE-2025-46569 was published for github.com/open-policy-agent/opa/server (Go) May 1, 2025
GamrayW HyouKash
AdrienIT
@cloudflare/workers-oauth-provider PKCE bypass via downgrade attack Moderate
CVE-2025-4144 was published for @cloudflare/workers-oauth-provider (npm) May 1, 2025
@cloudflare/workers-oauth-provider missing validation of redirect_uri on authorize endpoint Moderate
CVE-2025-4143 was published for @cloudflare/workers-oauth-provider (npm) May 1, 2025
SQL injection in ADOdb PostgreSQL driver pg_insert_id() method Critical
CVE-2025-46337 was published for adodb/adodb-php (Composer) May 1, 2025
mrcnpp dregad
Duplicate Advisory: @cloudflare/workers-oauth-provider missing validation of redirect_uri on authorize endpoint Moderate
GHSA-7cp4-jw97-3rc2 was published for @cloudflare/workers-oauth-provider (npm) May 1, 2025 withdrawn
Duplicate Advisory: @cloudflare/workers-oauth-provider PKCE bypass via downgrade attack Moderate
GHSA-vh4h-fvqf-q9wv was published for @cloudflare/workers-oauth-provider (npm) May 1, 2025 withdrawn
Panic in mp3-metadata due to the lack of bounds checking Moderate
GHSA-927q-g9w9-pm54 was published for mp3-metadata (Rust) Apr 30, 2025
Vite's server.fs.deny bypassed with /. for files under project root Moderate
CVE-2025-46565 was published for vite (npm) Apr 30, 2025
chienhm
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database