Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,717
Maven
5,000+
npm
4,328
NuGet
761
pip
4,105
Pub
12
RubyGems
958
Rust
1,065
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,329 advisories

Loading
Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict High
GHSA-jj37-3377-m6vv was published for nodemailer (npm) Nov 14, 2025 withdrawn
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change High
GHSA-fjh6-8679-9pch was published for flowise-ui (npm) Nov 14, 2025
mbiesiad
Credited to mbiesiad
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials) High
GHSA-x39m-3393-3qp4 was published for flowise-ui (npm) Nov 14, 2025
mbiesiad
Credited to mbiesiad
Flowise Fails to Invalidate Existing Sessions After Password Changes High
GHSA-x7rp-qj2h-ghgw was published for flowise (npm) Nov 14, 2025
mbiesiad
Credited to mbiesiad
expr-eval vulnerable to Prototype Pollution High
CVE-2025-13204 was published for expr-eval (npm) Nov 14, 2025
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields High
CVE-2025-64530 was published for @apollo/composition (npm) Nov 14, 2025
js-yaml has prototype pollution in merge (<<) Moderate
CVE-2025-64718 was published for js-yaml (npm) Nov 14, 2025
Zephkek mhassan1
opal-visibuild alexstrive jlp-craigmorten turi4200
Credited to Zephkek, mhassan1, opal-visibuild, alexstrive, jlp-craigmorten, and turi4200
Directus Vulnerable to Information Leakage in Existing Collections Moderate
CVE-2025-64749 was published for @directus/api (npm) Nov 13, 2025
sbstn-k kmzs
Credited to sbstn-k and kmzs
Directus's conceal fields are searchable if read permissions enabled Moderate
CVE-2025-64748 was published for @directus/api (npm) Nov 13, 2025
bryantgillespie
Credited to bryantgillespie
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass Moderate
CVE-2025-64525 was published for astro (npm) Nov 13, 2025
cold-try delucis
Credited to cold-try and delucis
Astro development server error page is vulnerable to reflected Cross-site Scripting Low
CVE-2025-64745 was published for astro (npm) Nov 13, 2025
pHo9UBenaA delucis
florian-lefebvre
Credited to pHo9UBenaA, delucis, and florian-lefebvre
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable High
CVE-2025-59840 was published for vega (npm) Nov 13, 2025
nickcopi hydrosquall
domoritz jeramysoucy lsh kachkaev
Credited to nickcopi, hydrosquall, domoritz, jeramysoucy, lsh, and kachkaev
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance High
GHSA-8wj8-cfxr-9374 was published for aws-advanced-nodejs-wrapper (npm) Nov 13, 2025
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details Moderate
CVE-2025-64502 was published for parse-server (npm) Nov 13, 2025
mtrezza coratgerl
mstniy
Credited to mtrezza, coratgerl, and mstniy
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand High
CVE-2025-12613 was published for cloudinary (npm) Nov 10, 2025
EverShop is vulnerable to Unauthorized Order Information Access (IDOR) Low
CVE-2025-12919 was published for @evershop/evershop (npm) Nov 9, 2025
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events High
CVE-2025-64496 was published for open-webui (npm) Nov 7, 2025
vitalysim
Credited to vitalysim
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE High
CVE-2025-64495 was published for open-webui (npm) Nov 7, 2025
gg0h
Credited to gg0h
Nuxt DevTools vulnerable to cross-site scripting (XSS) Moderate
CVE-2025-52662 was published for @nuxt/devtools (npm) Nov 7, 2025
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files Low
CVE-2025-48985 was published for ai (npm) Nov 7, 2025
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format High
CVE-2025-64430 was published for parse-server (npm) Nov 5, 2025
jacksonkasi1 mtrezza
Credited to jacksonkasi1 and mtrezza
expr-eval does not restrict functions passed to the evaluate function High
CVE-2025-12735 was published for expr-eval (npm) Nov 5, 2025
sei-vsarvepalli
Credited to sei-vsarvepalli
@react-native-community/cli has arbitrary OS command injection Critical
CVE-2025-11953 was published for @react-native-community/cli (npm) Nov 3, 2025
Malayke cylewaitforit
liamjones conorfitch
Credited to Malayke, cylewaitforit, liamjones, and conorfitch
node-tar has a race condition leading to uninitialized memory exposure Moderate
CVE-2025-64118 was published for tar (npm) Oct 30, 2025
ChALkeR
Credited to ChALkeR
n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook High
CVE-2025-62726 was published for n8n (npm) Oct 30, 2025
assaf-levkovich-jf
Credited to assaf-levkovich-jf
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database