Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,635
Maven
5,000+
npm
4,262
NuGet
760
pip
4,057
Pub
12
RubyGems
956
Rust
1,054
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,262 advisories

Loading
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events High
CVE-2025-64496 was published for open-webui (npm) Nov 7, 2025
vitalysim
Credited to vitalysim
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE High
CVE-2025-64495 was published for open-webui (npm) Nov 7, 2025
gg0h
Credited to gg0h
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files Low
CVE-2025-48985 was published for ai (npm) Nov 7, 2025
Nuxt DevTools vulnerable to cross-site scripting (XSS) Moderate
CVE-2025-52662 was published for @nuxt/devtools (npm) Nov 7, 2025
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format High
CVE-2025-64430 was published for parse-server (npm) Nov 5, 2025
jacksonkasi1 mtrezza
Credited to jacksonkasi1 and mtrezza
expr-eval does not restrict functions passed to the evaluate function High
CVE-2025-12735 was published for expr-eval (npm) Nov 5, 2025
@react-native-community/cli has arbitrary OS command injection Critical
CVE-2025-11953 was published for @react-native-community/cli (npm) Nov 3, 2025
Malayke cylewaitforit
Credited to Malayke and cylewaitforit
node-tar has a race condition leading to uninitialized memory exposure Moderate
CVE-2025-64118 was published for tar (npm) Oct 30, 2025
ChALkeR
Credited to ChALkeR
n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook High
CVE-2025-62726 was published for n8n (npm) Oct 30, 2025
assaf-levkovich-jf
Credited to assaf-levkovich-jf
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update High
CVE-2025-60542 was published for typeorm (npm) Oct 29, 2025
cavadalizada
Credited to cavadalizada
NextAuthjs Email misdelivery Vulnerability Moderate
GHSA-5jpx-9hw9-2fx4 was published for next-auth (npm) Oct 29, 2025
rootxjs
Credited to rootxjs
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS High
CVE-2025-59837 was published for astro (npm) Oct 28, 2025
everping GeneralZero
Credited to everping and GeneralZero
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass Moderate
GHSA-q7jf-gf43-6x6p was published for hono (npm) Oct 24, 2025
rollbar vulnerable to Prototype Pollution in merge() Moderate
CVE-2025-62517 was published for rollbar (npm) Oct 23, 2025
waltjones brianr
kiwi865
Credited to waltjones, brianr, and kiwi865
Kottster app reinitialization can be re-triggered allowing command injection in development mode High
CVE-2025-62713 was published for @kottster/server (npm) Oct 23, 2025
P0cas
Credited to P0cas
Hono Improper Authorization vulnerability High
CVE-2025-62610 was published for hono (npm) Oct 22, 2025
okazu-dm
Credited to okazu-dm
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic Moderate
CVE-2025-62595 was published for koa (npm) Oct 21, 2025
haymizrachi
Credited to haymizrachi
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read Moderate
GHSA-vffh-c9pq-4crh was published for uptime-kuma (npm) Oct 20, 2025
TriangleSnake
Credited to TriangleSnake
vite allows server.fs.deny bypass via backslash on Windows Moderate
CVE-2025-62522 was published for vite (npm) Oct 20, 2025
minhnb11 bluwy
Credited to minhnb11 and bluwy
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers Moderate
GHSA-xvp7-8vm8-xfxx was published for @actual-app/sync-server (npm) Oct 20, 2025
StoobertB
Credited to StoobertB
rollbar vulnerable to prototype pollution Low
CVE-2025-57325 was published for rollbar (npm) Oct 20, 2025
waltjones brianr
Credited to waltjones and brianr
Duplicate Advisory: FlowiseAI Pre-Auth Arbitrary Code Execution Critical
GHSA-3g4j-r53p-22wx was published for flowise (npm) Oct 17, 2025 withdrawn
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module Low
CVE-2025-62505 was published for @lobehub/chat (npm) Oct 17, 2025
im-soohyun
Credited to im-soohyun
Mammoth is vulnerable to Directory Traversal Moderate
CVE-2025-11849 was published for Mammoth (Maven) Oct 17, 2025
Angular SSR has a Server-Side Request Forgery (SSRF) flaw High
CVE-2025-62427 was published for @angular/ssr (npm) Oct 16, 2025
meDavidNS securityMB
hybrist alan-agius4 josephperrott
Credited to meDavidNS, securityMB, hybrist, alan-agius4, and josephperrott
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database