Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,670
Maven
5,000+
npm
4,296
NuGet
760
pip
4,075
Pub
12
RubyGems
957
Rust
1,058
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,730 advisories

Loading
Keycloak allows Binding to an Unrestricted IP Address Moderate
CVE-2025-11538 was published for org.keycloak:keycloak-quarkus-server (Maven) Nov 13, 2025
Mattermost Incorrect Authorization vulnerability Low
CVE-2025-11777 was published for github.com/mattermost/mattermost (Go) Nov 13, 2025
Incus vulnerable to local privilege escalation through custom storage volumes High
CVE-2025-64507 was published for github.com/lxc/incus (Go) Nov 13, 2025
abdodz1234 stgraber
Credited to abdodz1234 and stgraber
Milvus Proxy has a Critical Authentication Bypass Vulnerability Critical
CVE-2025-64513 was published for github.com/milvus-io/milvus (Go) Nov 13, 2025
sudo-rs doesn't record authenticating user properly in timestamp Moderate
CVE-2025-64517 was published for sudo-rs (Rust) Nov 13, 2025
Pingasmaster bjorn3
squell
Credited to Pingasmaster, bjorn3, and squell
pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode Critical
CVE-2025-12762 was published for pgadmin4 (pip) Nov 13, 2025
jonbally
Credited to jonbally
pgAdmin 4 has command injection vulnerability on Windows systems Moderate
CVE-2025-12763 was published for pgadmin4 (pip) Nov 13, 2025
pgAdmin is affected by an LDAP injection vulnerability High
CVE-2025-12764 was published for pgadmin4 (pip) Nov 13, 2025
pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification High
CVE-2025-12765 was published for pgadmin4 (pip) Nov 13, 2025
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU) High
CVE-2025-64509 was published for bugsink (pip) Nov 13, 2025
Cycloctane
Credited to Cycloctane
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input High
CVE-2025-64508 was published for bugsink (pip) Nov 13, 2025
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details Moderate
CVE-2025-64502 was published for parse-server (npm) Nov 13, 2025
mtrezza coratgerl
mstniy
Credited to mtrezza, coratgerl, and mstniy
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass High
CVE-2025-64500 was published for symfony/http-foundation (Composer) Nov 12, 2025
cs278 nicolas-grekas
Credited to cs278 and nicolas-grekas
Evervault Go SDK: Incomplete PCR Validation in Enclave Attestation for non-Evervault hosted Enclaves High
CVE-2025-64186 was published for github.com/evervault/evervault-go (Go) Nov 12, 2025
JoranHonig
Credited to JoranHonig
OAuth2-Proxy is vulnerable to header smuggling via underscore leading to potential privilege escalation High
CVE-2025-64484 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Nov 12, 2025
47Cid
Credited to 47Cid
Wasmtime provides unsound API access to a WebAssembly shared linear memory Low
CVE-2025-64345 was published for wasmtime (Rust) Nov 12, 2025
sudo-rs: Partial password reveal is possible after timeout Low
CVE-2025-64170 was published for sudo-rs (Rust) Nov 12, 2025
DevLaTron bjorn3
MggMuggins squell
Credited to DevLaTron, bjorn3, MggMuggins, and squell
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed High
CVE-2025-64099 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Nov 12, 2025
Jean-Eudes
Credited to Jean-Eudes
changedetection.io: Stored XSS in Watch update via API Low
CVE-2025-62780 was published for changedetection.io (pip) Nov 12, 2025
edoardottt
Credited to edoardottt
Observability Operator is vulnerable to Incorrect Privilege Assignment through its Custom Resource MonitorStack High
CVE-2025-2843 was published for github.com/rhobs/observability-operator (Go) Nov 12, 2025
jose2go is vulnerable to a JWT bomb attack through its decode function High
CVE-2025-63811 was published for github.com/dvsekhvalnov/jose2go (Go) Nov 12, 2025
TYPO3 Modules Extension has Improper Authentication vulnerability High
CVE-2025-12998 was published for codingms/modules (Composer) Nov 12, 2025
Soft Serve is vulnerable to SSRF through its Webhooks Critical
CVE-2025-64522 was published for github.com/charmbracelet/soft-serve (Go) Nov 10, 2025
Tomer-PL caarlos0
Credited to Tomer-PL and caarlos0
TorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topic_id parameter High
CVE-2025-64519 was published for torrentpier/torrentpier (Composer) Nov 10, 2025
XY20130630
Credited to XY20130630
CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection High
CVE-2025-64518 was published for org.cyclonedx:cyclonedx-core-java (Maven) Nov 10, 2025
nscuro BrightKn1ght
Credited to nscuro and BrightKn1ght
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database