Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,794
Maven
5,000+
npm
4,402
NuGet
772
pip
4,179
Pub
12
RubyGems
965
Rust
1,076
Swift
45
Unreviewed advisories
All unreviewed
5,000+

25,250 advisories

Loading
RustFS Path Traversal Vulnerability High
CVE-2025-68705 was published for rustfs (Rust) Jan 7, 2026
Quarkus REST has potential worker thread starvation when HTTP connection is closed while waiting to write Moderate
CVE-2025-66560 was published for io.quarkus:quarkus-rest (Maven) Jan 7, 2026
Directus has open redirect in SAML Moderate
CVE-2026-22032 was published for @directus/api (npm) Jan 6, 2026
im-soohyun Seeunsama
Credited to im-soohyun and Seeunsama
rsa crate has potential panic on a prime being equal to 1 Low
CVE-2026-21895 was published for rsa (Rust) Jan 6, 2026
invd
Credited to invd
Parsl Monitoring Visualization Vulnerable to SQL Injection Moderate
CVE-2026-21892 was published for parsl (pip) Jan 6, 2026
viralvaghela
Credited to viralvaghela
Bypassing Kyverno Policies via Double Policy Exceptions Critical
GHSA-gg4x-fgg2-h9w9 was published for github.com/kyverno/kyverno (Go) Jan 6, 2026
r0binak
Credited to r0binak
Bokeh server applications have Incomplete Origin Validation in WebSockets Moderate
CVE-2026-21883 was published for bokeh (pip) Jan 6, 2026
katzj
Credited to katzj
n8n Vulnerable to RCE via Arbitrary File Write Critical
CVE-2026-21877 was published for n8n (npm) Jan 6, 2026
theolelasseux
Credited to theolelasseux
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2026-21859 was published for github.com/axllent/mailpit (Go) Jan 6, 2026
omarkurt
Credited to omarkurt
MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download Moderate
CVE-2026-21851 was published for monai (pip) Jan 6, 2026
yueyueL
Credited to yueyueL
Pterodactyl TOTPs can be reused during validity window Moderate
CVE-2025-69197 was published for pterodactyl/panel (Composer) Jan 6, 2026
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced High
CVE-2025-68954 was published for github.com/pterodactyl/wings (Composer) Jan 6, 2026
real2two
Credited to real2two
AIOHTTP Vulnerable to Cookie Parser Warning Storm Low
CVE-2025-69230 was published for aiohttp (pip) Jan 5, 2026
Finder16
Credited to Finder16
AIOHTTP vulnerable to DoS through chunked messages Moderate
CVE-2025-69229 was published for aiohttp (pip) Jan 5, 2026
Finder16
Credited to Finder16
AIOHTTP vulnerable to denial of service through large payloads Moderate
CVE-2025-69228 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma
Credited to ThomasRinsma
AIOHTTP vulnerable to DoS when bypassing asserts Moderate
CVE-2025-69227 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma
Credited to ThomasRinsma
AIOHTTP vulnerable to brute-force leak of internal static file path components Low
CVE-2025-69226 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma
Credited to ThomasRinsma
AIOHTTP has unicode match groups in regexes for ASCII protocol elements Low
CVE-2025-69225 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma
Credited to ThomasRinsma
AIOHTTP's unicode processing of header values could cause parsing discrepancies Low
CVE-2025-69224 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma
Credited to ThomasRinsma
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb High
CVE-2025-69223 was published for aiohttp (pip) Jan 5, 2026
charleswhchan
Credited to charleswhchan
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function High
CVE-2025-66648 was published for vega-functions (npm) Jan 5, 2026
nikolaybabiy hydrosquall
domoritz
Credited to nikolaybabiy, hydrosquall, and domoritz
Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope High
CVE-2025-65110 was published for vega-selections (npm) Jan 5, 2026
nickcopi hydrosquall
domoritz
Credited to nickcopi, hydrosquall, and domoritz
Spinnaker vulnerable to SSRF due to improper restrictions on http from user input High
CVE-2025-61916 was published for io.spinnaker.clouddriver:clouddriver-artifacts (Maven) Jan 5, 2026
jake-ciolek CodeWobbler
jasonmcintosh Jaimeoby
Credited to jake-ciolek, CodeWobbler, jasonmcintosh, and Jaimeoby
evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API Moderate
CVE-2025-67427 was published for @evershop/evershop (npm) Jan 5, 2026
evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API High
CVE-2025-67419 was published for @evershop/evershop (npm) Jan 5, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database