Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,698
Maven
5,000+
npm
4,325
NuGet
761
pip
4,099
Pub
12
RubyGems
958
Rust
1,063
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,875 advisories

Loading
mcp-server-kubernetes has potential security issue in exec_in_pod tool Moderate
CVE-2025-66404 was published for mcp-server-kubernetes (npm) Dec 3, 2025
lavenderlilly
Credited to lavenderlilly
React Server Components are Vulnerable to RCE Critical
GHSA-fmh4-wr37-44fp was published for @vitejs/plugin-rsc (npm) Dec 3, 2025
React Server Components are Vulnerable to RCE Critical
CVE-2025-55182 was published for react-server-dom-parcel (npm) Dec 3, 2025
lachlan2k
Credited to lachlan2k
Next.js is vulnerable to RCE in React flight protocol Critical
CVE-2025-66478 was published for next (npm) Dec 3, 2025
lachlan2k
Credited to lachlan2k
Step CA Has Authorization Bypass in ACME and SCEP Provisioners Critical
CVE-2025-44005 was published for github.com/smallstep/certificates (Go) Dec 3, 2025
Rhino has high CPU usage and potential DoS when passing specific numbers to `toFixed()` function Low
CVE-2025-66453 was published for org.mozilla:rhino (Maven) Dec 3, 2025
TechPizzaDev
Credited to TechPizzaDev
Coder logs sensitive objects unsanitized High
CVE-2025-66411 was published for github.com/coder/coder/v2 (Go) Dec 3, 2025
step-ca Has Improper Authorization Check for SSH Certificate Revocation Moderate
CVE-2025-66406 was published for github.com/smallstep/certificates (Go) Dec 3, 2025
Claude Code Command Validation Bypass Allows Arbitrary Code Execution High
CVE-2025-66032 was published for @anthropic-ai/claude-code (npm) Dec 3, 2025
Ry0taK
Credited to Ry0taK
ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family Moderate
CVE-2025-65955 was published for Magick.NET-Q16-AnyCPU (NuGet) Dec 3, 2025
LuiginoC
Credited to LuiginoC
Docker MCP Plugin and Docker MCP Gateway have DNS Rebinding vulnerability when running in sse or streaming mode High
CVE-2025-64443 was published for github.com/docker/mcp-gateway (Go) Dec 3, 2025
JLLeitschuh
Credited to JLLeitschuh
Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors High
CVE-2025-66468 was published for aimeos/ai-cms-grapesjs (Composer) Dec 3, 2025
BlazeMeter Jenkins Plugin is Missing Authorization for Available Resources Moderate
CVE-2025-13472 was published for com.blazemeter.plugins:BlazeMeterJenkinsPlugin (Maven) Dec 3, 2025
FeehiCMS Has a Remote Code Execution via Unrestricted File Upload in Ad Management Moderate
CVE-2025-65657 was published for feehi/cms (Composer) Dec 2, 2025
assyncmy is vulnerable to SQL injection via crafted dict keys Critical
CVE-2025-65896 was published for asyncmy (pip) Dec 2, 2025
GrapesJsBuilder File Upload allows all file uploads High
CVE-2025-13827 was published for mautic/grapes-js-builder-bundle (Composer) Dec 2, 2025
driskell escopecz
patrykgruszka
Credited to driskell, escopecz, and patrykgruszka
Mautic user without privileged access to the Marketplace can install and uninstall composer packages Critical
CVE-2025-13828 was published for mautic/core (Composer) Dec 2, 2025
driskell escopecz
patrykgruszka
Credited to driskell, escopecz, and patrykgruszka
Apptainer ineffectively applies selinux and apparmor --security options Moderate
CVE-2025-65105 was published for github.com/apptainer/apptainer (Go) Dec 2, 2025
dtrudg
Credited to dtrudg
Singluarity ineffectively applies selinux / apparmor LSM process labels Moderate
CVE-2025-64750 was published for github.com/sylabs/singularity/v4 (Go) Dec 2, 2025
Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor Moderate
CVE-2025-65186 was published for getgrav/grav (Composer) Dec 2, 2025
Django is vulnerable to DoS via XML serializer text extraction Moderate
CVE-2025-64460 was published for Django (pip) Dec 2, 2025
Django is vulnerable to SQL injection in column aliases Moderate
CVE-2025-13372 was published for Django (pip) Dec 2, 2025
gokey allows secret recovery from a seed file without the master password High
CVE-2025-13353 was published for github.com/cloudflare/gokey (Go) Dec 2, 2025
arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints Moderate
CVE-2025-66454 was published for arcade-mcp-server (pip) Dec 2, 2025
qi-scape
Credited to qi-scape
vLLM vulnerable to remote code execution via transformers_utils/get_config High
CVE-2025-66448 was published for vllm (pip) Dec 2, 2025
Vancir Isotr0py
DarkLight1337 russellb
Credited to Vancir, Isotr0py, DarkLight1337, and russellb
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database