Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,954
Maven
5,000+
npm
4,606
NuGet
787
pip
4,305
Pub
12
RubyGems
984
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

197 advisories

Loading
Antrea has invalid enforcement order for network policy rules caused by integer overflow High
CVE-2026-25804 was published for antrea.io/antrea (Go) Feb 6, 2026
antoninbas Dyanngg
Credited to antoninbas and Dyanngg
Gogs Vulnerable to 2FA Bypass via Recovery Code High
CVE-2025-64175 was published for gogs.io/gogs (Go) Feb 6, 2026
@fedify/fedify has Improper Authentication and Incorrect Authorization High
CVE-2025-54888 was published for @fedify/fedify (npm) Aug 8, 2025
allouis dahlia
Credited to allouis and dahlia
Salt Authentication Protocol Version Downgrade Allows Minion Impersonation High
CVE-2025-62349 was published for salt (pip) Jan 30, 2026
FastMCP Auth Integration Allows for Confused Deputy Account Takeover High
GHSA-c2jp-c369-7pvx was published for fastmcp (pip) Oct 29, 2025
localden
Credited to localden
Jervis's AES CBC Mode is Without Authentication High
CVE-2025-68931 was published for net.gleske:jervis (Maven) Jan 13, 2026
Ghost has Staff 2FA bypass High
CVE-2026-22594 was published for ghost (npm) Jan 8, 2026
odgrso
Credited to odgrso
Filament multi-factor authentication (app) recovery codes can be used multiple times High
CVE-2025-67507 was published for filament/filament (Composer) Dec 9, 2025
JaZo danharrin
Credited to JaZo and danharrin
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register) High
GHSA-v5w9-prxf-w882 was published for flowise (npm) Nov 17, 2025
ReeFSpeK ERANV-EVA
Credited to ReeFSpeK and ERANV-EVA
Memos' Access Tokens Stay Valid after User Password Change High
CVE-2024-21635 was published for github.com/usememos/memos (Go) Nov 14, 2025
jhademcconnell
Credited to jhademcconnell
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP High
CVE-2025-64717 was published for github.com/zitadel/zitadel (Go) Nov 14, 2025
livio-a IAM-marco
Jank1310
Credited to livio-a, IAM-marco, and Jank1310
TYPO3 Modules Extension has Improper Authentication vulnerability High
CVE-2025-12998 was published for codingms/modules (Composer) Nov 12, 2025
Zitadel May Bypass Second Authentication Factor High
CVE-2025-64103 was published for github.com/zitadel/zitadel (Go) Oct 29, 2025
livio-a IAM-marco
mffap
Credited to livio-a, IAM-marco, and mffap
Apache ActiveMQ Deserialization of Untrusted Data vulnerability High
CVE-2022-41678 was published for org.apache.activemq:apache-activemq (Maven) Nov 28, 2023
sunSUNQ
Credited to sunSUNQ
Mattermost Server: Insufficient Password-Reset Link Invalidation High
CVE-2016-11074 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Authentication bypass for viewing and deletions of snapshots High
CVE-2021-39226 was published for github.com/grafana/grafana (Go) Oct 5, 2021
theblackturtle
Credited to theblackturtle
Account Takeover in Octobercms High
CVE-2021-32648 was published for october/system (Composer) Aug 30, 2021
Dragonfly doesn't have authentication enabled for some Manager’s endpoints High
CVE-2025-59345 was published for d7y.io/dragonfly/v2 (Go) Sep 17, 2025
gaius-qi
Credited to gaius-qi
WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled High
CVE-2025-54376 was published for github.com/SpectoLabs/hoverfly (Go) Sep 10, 2025
Kr1shna4garwal
Credited to Kr1shna4garwal
Komari vulnerable to 2FA Authentication Bypass High
GHSA-jhmr-57cj-q6g9 was published for github.com/komari-monitor/komari (Go) Aug 12, 2025
imlonghao
Credited to imlonghao
Alchemy Non-SMA and Webauthn Account Security Advisory High
GHSA-56r6-ccm5-8hg3 was published for @account-kit/smart-contracts (npm) Jul 21, 2025
carlos-cow
Credited to carlos-cow
TiDB authentication bypass vulnerability High
CVE-2022-31011 was published for github.com/pingcap/tidb (Go) Jun 6, 2022
Salt has minion event bus authorization bypass vulnerability High
CVE-2025-22236 was published for salt (pip) Jun 13, 2025
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration High
CVE-2025-49146 was published for org.postgresql:postgresql (Maven) Jun 11, 2025
jawj
Credited to jawj
Erxes Incorrect Access Control vulnerability High
CVE-2024-57190 was published for erxes (npm) Jun 10, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database