Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,943
Erlang
39
GitHub Actions
38
Go
2,602
Maven
5,000+
npm
4,249
NuGet
755
pip
4,013
Pub
12
RubyGems
953
Rust
1,048
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,250 advisories

Loading
rollbar vulnerable to Prototype Pollution in merge() Moderate
CVE-2025-62517 was published for rollbar (npm) Oct 23, 2025
waltjones brianr
kiwi865
Credited to waltjones, brianr, and kiwi865
Kottster app reinitialization can be re-triggered allowing command injection in development mode High
CVE-2025-62713 was published for @kottster/server (npm) Oct 23, 2025
P0cas
Credited to P0cas
Hono Improper Authorization vulnerability High
CVE-2025-62610 was published for hono (npm) Oct 22, 2025
okazu-dm
Credited to okazu-dm
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic Moderate
CVE-2025-62595 was published for koa (npm) Oct 21, 2025
haymizrachi
Credited to haymizrachi
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read Moderate
GHSA-vffh-c9pq-4crh was published for uptime-kuma (npm) Oct 20, 2025
TriangleSnake
Credited to TriangleSnake
vite allows server.fs.deny bypass via backslash on Windows Moderate
CVE-2025-62522 was published for vite (npm) Oct 20, 2025
minhnb11 bluwy
Credited to minhnb11 and bluwy
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers Moderate
GHSA-xvp7-8vm8-xfxx was published for @actual-app/sync-server (npm) Oct 20, 2025
StoobertB
Credited to StoobertB
rollbar vulnerable to prototype pollution Low
CVE-2025-57325 was published for rollbar (npm) Oct 20, 2025
waltjones brianr
Credited to waltjones and brianr
Duplicate Advisory: FlowiseAI Pre-Auth Arbitrary Code Execution Critical
GHSA-3g4j-r53p-22wx was published for flowise (npm) Oct 17, 2025 withdrawn
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module Low
CVE-2025-62505 was published for @lobehub/chat (npm) Oct 17, 2025
im-soohyun
Credited to im-soohyun
Mammoth is vulnerable to Directory Traversal Moderate
CVE-2025-11849 was published for Mammoth (Maven) Oct 17, 2025
Angular SSR has a Server-Side Request Forgery (SSRF) flaw High
CVE-2025-62427 was published for @angular/ssr (npm) Oct 16, 2025
meDavidNS securityMB
jkrems alan-agius4 josephperrott
Credited to meDavidNS, securityMB, jkrems, alan-agius4, and josephperrott
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration Moderate
CVE-2025-53092 was published for @strapi/core (npm) Oct 16, 2025
ghostvirus62 derrickmehaffy
alexandrebodin innerdvations
Credited to ghostvirus62, derrickmehaffy, alexandrebodin, and innerdvations
Strapi Password Hashing Missing Maximum Password Length Validation Moderate
CVE-2025-25298 was published for @strapi/core (npm) Oct 16, 2025
sinanptm
Credited to sinanptm
Strapi Allows Unauthorized Access to Private Fields via parms.lookup High
CVE-2024-56143 was published for @strapi/core (npm) Oct 16, 2025
Boegie19 alexandrebodin
derrickmehaffy
Credited to Boegie19, alexandrebodin, and derrickmehaffy
Strapi is vulnerable to Insufficient Session Expiration Moderate
CVE-2025-3930 was published for @strapi/strapi (npm) Oct 16, 2025
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript Critical
CVE-2025-62410 was published for happy-dom (npm) Oct 15, 2025
cristianstaicu
Credited to cristianstaicu
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js` High
CVE-2025-62381 was published for sveltekit-superforms (npm) Oct 15, 2025
d-xuan
Credited to d-xuan
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails Low
CVE-2025-62380 was published for mailgen (npm) Oct 15, 2025
edoardottt
Credited to edoardottt
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs Moderate
CVE-2025-62374 was published for parse (npm) Oct 14, 2025
Moumouls mtrezza
Credited to Moumouls and mtrezza
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages High
CVE-2025-34267 was published for flowise (npm) Oct 14, 2025
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails Low
CVE-2025-62366 was published for mailgen (npm) Oct 14, 2025
edoardottt
Credited to edoardottt
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate Moderate
CVE-2025-59288 was published for playwright (npm) Oct 14, 2025
CommandKit has incorrect command name exposure in context object for message command aliases Moderate
CVE-2025-62378 was published for commandkit (npm) Oct 13, 2025
twlite notunderctrl
Credited to twlite and notunderctrl
QGIS QWC2 Cross-Site Scripting vulnerability Moderate
CVE-2025-11183 was published for qwc2 (npm) Oct 13, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database