Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,951
Maven
5,000+
npm
4,597
NuGet
787
pip
4,304
Pub
12
RubyGems
982
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

96 advisories

Loading
Devtron Attributes API Unauthorized Access Leading to API Token Signing Key Leakage High
CVE-2026-25538 was published for github.com/devtron-labs/devtron (Go) Feb 4, 2026
b0b0haha spingARbor
lixingquzhi
Credited to b0b0haha, spingARbor, and lixingquzhi
Fleet has an Access Control vulnerability in debug/pprof endpoints High
CVE-2026-23517 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 iansltx
Credited to prateek-0490 and iansltx
Backend.AI Missing Authorization vulnerability High
CVE-2025-49651 was published for backend.ai (pip) Jun 9, 2025
Yaminyam
Credited to Yaminyam
TYPO3 CMS Allows Broken Access Control in Recycler Module High
CVE-2025-59022 was published for typo3/cms-recycler (Composer) Jan 13, 2026
misskey.js's export data contains private post data High
CVE-2025-66402 was published for misskey-js (npm) Dec 15, 2025
na2204 samunohito
Credited to na2204 and samunohito
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions High
CVE-2025-59828 was published for @anthropic-ai/claude-code (npm) Sep 24, 2025
cai0duque
Credited to cai0duque
MARIN3R: Cross-Namespace Vulnerability in the Operator High
CVE-2025-64171 was published for github.com/3scale-sre/marin3r (Go) Nov 4, 2025
debuggerchen
Credited to debuggerchen
Drupal Acquia DAM allows Forceful Browsing High
CVE-2025-9954 was published for drupal/acquia_dam (Composer) Oct 30, 2025
Authentication bypass for viewing and deletions of snapshots High
CVE-2021-39226 was published for github.com/grafana/grafana (Go) Oct 5, 2021
theblackturtle
Credited to theblackturtle
Mattermost has a Missing Authorization vulnerability High
CVE-2025-58075 was published for github.com/mattermost/mattermost-server (Go) Oct 16, 2025
Mattermost has a Missing Authorization vulnerability High
CVE-2025-58073 was published for github.com/mattermost/mattermost-server (Go) Oct 16, 2025
Open WebUI Allows Arbitrary File Reading and Deletion High
CVE-2024-7043 was published for open-webui (pip) Mar 20, 2025
Flowise has unsandboxed remote code execution via Custom MCP High
GHSA-6933-jpx5-q87q was published for flowise (npm) Sep 15, 2025
assaf-levkovich-jf
Credited to assaf-levkovich-jf
Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation High
CVE-2025-57817 was published for ethyca-fides (pip) Sep 8, 2025
thabofletcher erosselli
daveqnet
Credited to thabofletcher, erosselli, and daveqnet
UnoPim has Broken Access Control High
CVE-2025-55741 was published for unopim/unopim (Composer) Aug 22, 2025
0xcharb
Credited to 0xcharb
HAX CMS API Lacks Authorization Checks High
CVE-2025-54378 was published for @haxtheweb/haxcms-nodejs (Composer) Jul 25, 2025
lfgberg
Credited to lfgberg
Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed High
CVE-2025-22235 was published for org.springframework.boot:spring-boot (Maven) Apr 28, 2025
The WikiManager REST API allows any user to create wikis High
CVE-2025-29926 was published for org.xwiki.platform:xwiki-platform-wiki-rest-default (Maven) Mar 19, 2025
Controller reconciles apps outside configured namespaces when sharding is enabled High
CVE-2023-22736 was published for github.com/argoproj/argo-cd/v2 (Go) Jan 25, 2023
czchen crenshaw-dev
Credited to czchen and crenshaw-dev
Any user with view access to the XWiki space can change the authenticator High
CVE-2025-46557 was published for org.xwiki.platform:xwiki-platform-security-authentication-ui (Maven) Apr 30, 2025
Drupal OAuth2 Server Missing Authorization vulnerability High
CVE-2025-31691 was published for drupal/oauth2_server (Composer) Apr 1, 2025
Drupal Open Social Missing Authorization vulnerability High
CVE-2025-31686 was published for goalgorilla/open_social (Composer) Apr 1, 2025
Drupal Authenticator Login Missing Authorization vulnerability High
CVE-2025-31681 was published for drupal/alogin (Composer) Apr 1, 2025
CKAN contains Improper Authentication leading to account takeover High
CVE-2022-43685 was published for ckan (pip) Nov 22, 2022
Velociraptor vulnerable to Missing Authorization High
CVE-2023-0242 was published for www.velocidex.com/golang/velociraptor (Go) Jan 18, 2023
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database