GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
33,218 advisories
Filter by severity
JuzaWeb CMS is vulnerable to Incorrect Privilege Assignment when installing Import Page component
Low
CVE-2025-6735
was published
for
juzaweb/cms
(Composer)
Jun 27, 2025
Infinispan CLI vulnerable to Generation of Error Message Containing Sensitive Information
Moderate
CVE-2025-5731
was published
for
org.infinispan:infinispan-cli-client
(Maven)
Jun 27, 2025
Magento Authenticated Security feature bypass
Low
CVE-2025-49549
was published
for
magento/community-edition
(Composer)
Jun 26, 2025
Magento Security feature bypass
Moderate
CVE-2025-49550
was published
for
magento/community-edition
(Composer)
Jun 26, 2025
Ruby WEBrick read_headers method can lead to HTTP Request/Response Smuggling
Moderate
CVE-2025-6442
was published
for
webrick
(RubyGems)
Jun 26, 2025
Vault Community Edition rekey and recovery key operations can cause denial of service
Low
CVE-2025-4656
was published
for
github.com/hashicorp/vault
(Go)
Jun 26, 2025
Apache Airflow Providers Snowflake package allows for Special Element Injection via CopyFromExternalStageToSnowflakeOperator
Critical
CVE-2025-50213
was published
for
apache-airflow-providers-snowflake
(pip)
Jun 26, 2025
OpenBao allows cancellation of root rekey and recovery rekey operations without authentication
Moderate
CVE-2025-52894
was published
for
github.com/openbao/openbao
(Go)
Jun 26, 2025
OpenBao Inserts Sensitive Information into Log File when processing malformed data
Moderate
CVE-2025-52893
was published
for
github.com/openbao/openbao/sdk/v2
(Go)
Jun 26, 2025
iOS Simulator MCP Command Injection allowed via exec API
Moderate
CVE-2025-52573
was published
for
ios-simulator-mcp
(npm)
Jun 26, 2025
Incus creates nftables rules that partially bypass security options
High
CVE-2025-52890
was published
for
github.com/lxc/incus/v6
(Go)
Jun 26, 2025
Incus Allocation of Resources Without Limits allows firewall rule bypass on managed bridge networks
Low
CVE-2025-52889
was published
for
github.com/lxc/incus/v6
(Go)
Jun 26, 2025
Octo STS Unauthenticated SSRF by abusing fields in OpenID Connect tokens
High
CVE-2025-52477
was published
for
github.com/octo-sts/app
(Go)
Jun 26, 2025
Xuxueli XXL-SSO Cross-site Scripting vulnerability
Low
CVE-2025-6700
was published
for
com.xuxueli:xxl-sso
(Maven)
Jun 26, 2025
XXL SSO is vulnerable to an Open Redirect through malicious manipulation of the redirect_url argument
Low
CVE-2025-6701
was published
for
com.xuxueli:xxl-sso
(Maven)
Jun 26, 2025
Gogs XSS allowed by stored call in PDF renderer
Moderate
CVE-2025-47943
was published
for
github.com/gogs/gogs
(Go)
Jun 26, 2025
Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode
Low
CVE-2025-6624
was published
for
github.com/snyk/go-application-framework
(Go)
Jun 26, 2025
Podman Improper Certificate Validation; machine missing TLS verification
High
CVE-2025-6032
was published
for
github.com/containers/podman/v4
(Go)
Jun 25, 2025
RISC Zero Ethereum invalid commitment with digest value of zero accepted by Steel.validateCommitment
Low
CVE-2025-52884
was published
for
risc0-ethereum-contracts
(Rust)
Jun 25, 2025
Allure Report allows Improper XXE Restriction via DocumentBuilderFactory
High
CVE-2025-52888
was published
for
io.qameta.allure.plugins:junit-xml-plugin
(Maven)
Jun 25, 2025
Moodle Session Fixation allows unauthenticated users to hijack sessions via sesskey parameter
Moderate
CVE-2025-53021
was published
for
moodle/moodle
(Composer)
Jun 24, 2025
Umbraco CMS disclosure of configured password requirements
Moderate
CVE-2025-49147
was published
for
Umbraco.Cms
(NuGet)
Jun 24, 2025
Gogs allows deletion of internal files which leads to remote command execution
Critical
CVE-2024-56731
was published
for
gogs.io/gogs
(Go)
Jun 24, 2025
pbkdf2 silently disregards Uint8Array input, returning static keys
Critical
CVE-2025-6547
was published
for
pbkdf2
(npm)
Jun 23, 2025
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
Critical
CVE-2025-6545
was published
for
pbkdf2
(npm)
Jun 23, 2025
ProTip!
Advisories are also available from the
GraphQL API