Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,992
Erlang
39
GitHub Actions
38
Go
2,634
Maven
5,000+
npm
4,258
NuGet
760
pip
4,051
Pub
12
RubyGems
955
Rust
1,054
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,577 advisories

Loading
Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables Moderate
CVE-2025-10929 was published for drupal/reverse_proxy_header (Composer) Oct 30, 2025
Drupal Access code allows Brute Force Attempts Moderate
CVE-2025-10928 was published for drupal/access_code (Composer) Oct 30, 2025
Drupal Umami Analytics allows Cross-Site Scripting (XSS) Low
CVE-2025-10931 was published for drupal/umami_analytics (Composer) Oct 30, 2025
LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore High
CVE-2025-64104 was published for langgraph-checkpoint-sqlite (pip) Oct 29, 2025
ColeMurray
Credited to ColeMurray
Zitadel May Bypass Second Authentication Factor High
CVE-2025-64103 was published for github.com/zitadel/zitadel (Go) Oct 29, 2025
livio-a IAM-marco
mffap
Credited to livio-a, IAM-marco, and mffap
Zitadel allows brute-forcing authentication factors High
CVE-2025-64102 was published for github.com/zitadel/zitadel (Go) Oct 29, 2025
livio-a IAM-marco
Credited to livio-a and IAM-marco
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection High
CVE-2025-64101 was published for github.com/zitadel/zitadel/v2 (Go) Oct 29, 2025
amit-laish livio-a
IAM-marco
Credited to amit-laish, livio-a, and IAM-marco
OpenUSD File Parsing Use-After-Free Remote Code Execution Vulnerability Moderate
GHSA-grjp-54v3-c442 was published for usd-core (pip) Oct 29, 2025
uv allows ZIP payload obfuscation through parsing differentials Moderate
GHSA-pqhf-p39g-3x64 was published for uv (pip) Oct 29, 2025
calebbrown woodruffw
zanieb
Credited to calebbrown, woodruffw, and zanieb
CKAN vulnerable to fixed session IDs Moderate
CVE-2025-64100 was published for ckan (pip) Oct 29, 2025
DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite Critical
CVE-2025-64095 was published for DNN.PLATFORM (NuGet) Oct 29, 2025
bdukes valadas
Credited to bdukes and valadas
DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload Moderate
CVE-2025-64094 was published for DotNetNuke.Core (NuGet) Oct 29, 2025
pdstat bdukes
mitchelsellers valadas
Credited to pdstat, bdukes, mitchelsellers, and valadas
DNN CKEditor Provider allows unauthenticated upload out-of-the-box Moderate
CVE-2025-62802 was published for Dnn.Platform (NuGet) Oct 29, 2025
r90727 bdukes
donker david-poindexter mitchelsellers
Credited to r90727, bdukes, donker, david-poindexter, and mitchelsellers
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability High
CVE-2025-11201 was published for mlflow (pip) Oct 29, 2025
MLflow Weak Password Requirements Authentication Bypass Vulnerability High
CVE-2025-11200 was published for mlflow (pip) Oct 29, 2025
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update High
CVE-2025-60542 was published for typeorm (npm) Oct 29, 2025
cavadalizada
Credited to cavadalizada
FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name Moderate
CVE-2025-62801 was published for fastmcp (pip) Oct 29, 2025
nil340
Credited to nil340
FastMCP vulnerable to reflected XSS in client's callback page Moderate
CVE-2025-62800 was published for fastmcp (pip) Oct 29, 2025
an7y
Credited to an7y
FastMCP Auth Integration Allows for Confused Deputy Account Takeover High
GHSA-c2jp-c369-7pvx was published for fastmcp (pip) Oct 29, 2025
localden
Credited to localden
CKAN vulnerable to stored XSS in resource description Moderate
CVE-2025-54384 was published for ckan (pip) Oct 29, 2025
asifnawazminhas
Credited to asifnawazminhas
Jenkins Curseforge Publisher Plugin does not mask API Keys displayed on the job configuration form Moderate
CVE-2025-64147 was published for org.jenkins-ci.plugins:curseforge-publisher (Maven) Oct 29, 2025
Jenkins Publish to Bitbucket Plugin vulnerable to CSRF and missing permissions check Moderate
CVE-2025-64149 was published for org.jenkins-ci.plugins:publish-to-bitbucket (Maven) Oct 29, 2025
Jenkins Publish to Bitbucket Plugin is missing a permissions check Moderate
CVE-2025-64148 was published for org.jenkins-ci.plugins:publish-to-bitbucket (Maven) Oct 29, 2025
Jenkins Publish to Bitbucket Plugin is missing a permissions check Moderate
CVE-2025-64150 was published for org.jenkins-ci.plugins:publish-to-bitbucket (Maven) Oct 29, 2025
Jenkins Nexus Task Runner Plugin vulnerable to cross-site request forgery Moderate
CVE-2025-64141 was published for org.jenkins-ci.plugins:nexus-task-runner (Maven) Oct 29, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database