Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,876
Erlang
37
GitHub Actions
37
Go
2,526
Maven
5,000+
npm
4,189
NuGet
742
pip
3,968
Pub
12
RubyGems
947
Rust
1,030
Swift
39
Unreviewed advisories
All unreviewed
5,000+

3,437 advisories

Loading
Apache IoTDB: Deserialization of untrusted Data Critical
CVE-2025-48459 was published for org.apache.iotdb:iotdb-confignode (Maven) Sep 24, 2025
cai0duque
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass Critical
CVE-2025-59936 was published for get-jwks (npm) Sep 26, 2025
epureionut99
Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning Critical
CVE-2025-59823 was published for github.com/gardener/gardener-extension-provider-aws (Go) Sep 25, 2025
petersutter kon-angelo
hebelsan JordanJordanov donistz
cors-anywhere vulnerable to server-side request forgery Critical
CVE-2020-36851 was published for cors-anywhere (npm) Sep 25, 2025
XWiki Platform: Remote code execution as guest via DatabaseSearch Critical
CVE-2024-31982 was published for org.xwiki.platform:xwiki-platform-search-ui (Maven) Apr 10, 2024
Command Injection in adb-mcp MCP Server Critical
CVE-2025-59834 was published for adb-mcp (npm) Sep 24, 2025
lirantal
mcp-kubernetes-server has an OS Command Injection vulnerability Critical
CVE-2025-59377 was published for mcp-kubernetes-server (pip) Sep 15, 2025
cai0duque
Malicious versions of Nx were published Critical
CVE-2025-10894 was published for @nx/devkit (npm) Aug 27, 2025
jahredhope tadhglewis
hckhanh TimShilov
Duplicate Advisory: Malicious versions of Nx were published Critical
GHSA-8mjq-32x3-22qf was published for nx (npm) Sep 25, 2025 withdrawn
CleverTap Cordova plugin vulnerable to Cross-site Scripting Critical
CVE-2023-2507 was published for clevertap-cordova (npm) Jul 15, 2023
InvokeAI has External Control of File Name or Path Critical
CVE-2025-6237 was published for invokeai (pip) Sep 18, 2025
cai0duque
CodeceptJS's incomprehensive sanitation can lead to Command Injection Critical
CVE-2025-57285 was published for codeceptjs (npm) Sep 8, 2025
mhassan1
Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch Critical
CVE-2023-20860 was published for org.springframework:spring (Maven) Mar 28, 2023
sunSUNQ AndrzejBiernacki2010
DNN Vulnerable to Stored Cross-Site Scripting (XSS) in the Prompt module Critical
CVE-2025-59545 was published for DotNetNuke.Core (NuGet) Sep 23, 2025
bdukes valadas
mitchelsellers
H2O.ai H2O vulnerable to deserialization attacks via a JDBC Connection URL Critical
CVE-2024-45758 was published for ai.h2o:h2o-core (Maven) Sep 6, 2024
Flowise has Remote Code Execution vulnerability Critical
CVE-2025-59528 was published for flowise (npm) Sep 15, 2025
im-soohyun
H2O affected by a deserialization vulnerability Critical
CVE-2025-6544 was published for ai.h2o:h2o-core (Maven) Sep 22, 2025
Magento Community Edition Improper Input Validation vulnerability Critical
CVE-2025-54236 was published for magento/community-edition (Composer) Sep 9, 2025
jinjava has Sandbox Bypass via JavaType-Based Deserialization Critical
CVE-2025-59340 was published for com.hubspot.jinjava:jinjava (Maven) Sep 17, 2025
taisehub odgrso
FitNesse allows execution of arbitrary OS commands Critical
CVE-2024-28125 was published for org.fitnesse:fitnesse (Maven) Mar 18, 2024
XML Processing error in github.com/crewjam/saml Critical
CVE-2020-27846 was published for github.com/crewjam/saml (Go) Jun 23, 2021
Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports Critical
CVE-2025-10157 was published for picklescan (pip) Sep 10, 2025
davcohen
Picklescan Bypass is Possible via File Extension Mismatch Critical
CVE-2025-10155 was published for picklescan (pip) Sep 10, 2025
Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check Critical
CVE-2025-10156 was published for picklescan (pip) Sep 10, 2025
Duplicate Advisory: Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports Critical
GHSA-hf6h-9wq7-hmjg was published for picklescan (pip) Sep 17, 2025 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database