Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,757
Maven
5,000+
npm
4,364
NuGet
766
pip
4,130
Pub
12
RubyGems
961
Rust
1,070
Swift
45
Unreviewed advisories
All unreviewed
5,000+

25,071 advisories

Loading
Auth0 WordPress has Improper Audience Validation via Auth0-PHP SDK Dependency Moderate
GHSA-vvg7-8rmq-92g7 was published for auth0/wordpress (Composer) Dec 17, 2025
Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK Moderate
GHSA-f3r2-88mq-9v4g was published for auth0/symfony (Composer) Dec 17, 2025
Auth0 Laravel SDK has Improper Audience Validation via Auth0-PHP SDK dependency Moderate
GHSA-7hh9-gp72-wh7h was published for auth0/login (Composer) Dec 17, 2025
Auth0-PHP SDK has Improper Audience Validation Moderate
CVE-2025-68129 was published for auth0/auth0-php (Composer) Dec 17, 2025
mcp-server-git's unrestricted git_init tool allows repository creation at arbitrary filesystem locations Moderate
CVE-2025-68143 was published for mcp-server-git (pip) Dec 17, 2025
Apache Airflow Providers Edge3 exposes internal API allowing RCE in web server context Critical
CVE-2025-67895 was published for apache-airflow-providers-edge3 (pip) Dec 17, 2025
systeminformation has a Command Injection vulnerability in fsSize() function on Windows High
CVE-2025-68154 was published for systeminformation (npm) Dec 16, 2025
yueyueL
Credited to yueyueL
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter High
CVE-2025-68150 was published for parse-server (npm) Dec 16, 2025
yueyueL mtrezza
Credited to yueyueL and mtrezza
Expr has Denial of Service via Unbounded Recursion in Builtin Functions High
CVE-2025-68156 was published for github.com/expr-lang/expr (Go) Dec 16, 2025
thevilledev
Credited to thevilledev
@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint High
CVE-2025-68155 was published for @vitejs/plugin-rsc (npm) Dec 16, 2025
yueyueL
Credited to yueyueL
SIPGO is Vulnerable to Response DoS via Nil Pointer Dereference High
GHSA-c623-f998-8hhv was published for github.com/emiago/sipgo (Go) Dec 16, 2025
sandrogauci
Credited to sandrogauci
Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits High
GHSA-x732-6j76-qmhm was published for better-auth (npm) Dec 16, 2025
goksan
Credited to goksan
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation Moderate
CVE-2025-68146 was published for filelock (pip) Dec 16, 2025
tsigouris007 gaborbernat
Credited to tsigouris007 and gaborbernat
PyMdown Extensions has a ReDOS bug in its Figure Capture extension Low
CVE-2025-68142 was published for pymdown-extensions (pip) Dec 16, 2025
Libredesk has Improper Neutralization of HTML Tags in a Web Page High
GHSA-wh6m-h6f4-rjf4 was published for github.com/abhinavxd/libredesk (Go) Dec 16, 2025
PlayerIUnknown
Credited to PlayerIUnknown
tRPC has possible prototype pollution in `experimental_nextAppDirCaller` High
CVE-2025-68130 was published for @trpc/server (npm) Dec 16, 2025
Pr00fOf3xpl0it
Credited to Pr00fOf3xpl0it
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables Moderate
CVE-2025-68115 was published for parse-server (npm) Dec 16, 2025
yueyueL mtrezza
Credited to yueyueL and mtrezza
ABP Account Module has an Open Redirect through Improper validation in its register function Moderate
CVE-2025-65581 was published for Volo.Abp.Account.Web (NuGet) Dec 16, 2025
ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay Moderate
CVE-2025-68113 was published for altcha (RubyGems) Dec 16, 2025
eternal-flame-AD
Credited to eternal-flame-AD
Fickling has Code Injection vulnerability via pty.spawn() High
CVE-2025-67748 was published for fickling (pip) Dec 15, 2025
0x00nier
Credited to 0x00nier
Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list High
CVE-2025-67747 was published for fickling (pip) Dec 15, 2025
0x00nier
Credited to 0x00nier
Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder Moderate
CVE-2025-67735 was published for io.netty:netty-codec-http (Maven) Dec 15, 2025
vietj nakyamad
Credited to vietj and nakyamad
Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR) Moderate
CVE-2025-67715 was published for Weblate (pip) Dec 15, 2025
naxus-audit nijel
Credited to naxus-audit and nijel
Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration Moderate
CVE-2025-67492 was published for Weblate (pip) Dec 15, 2025
naxus-audit nijel
Credited to naxus-audit and nijel
LikeC4 has RCE through vulnerable React and Next.js versions Critical
GHSA-vr6p-vq2p-6j74 was published for likec4 (npm) Dec 15, 2025
fnuttens
Credited to fnuttens
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database