GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,296 advisories
Marp Core allows XSS by improper neutralization of HTML sanitization
Moderate
CVE-2024-56510
was published
for
@marp-team/marp-core
(npm)
Dec 26, 2024
Trix allows Cross-site Scripting via `javascript:` url in a link
Moderate
CVE-2025-21610
was published
for
trix
(npm)
Jan 3, 2025
Next.js Allows a Denial of Service (DoS) with Server Actions
Moderate
CVE-2024-56332
was published
for
next
(npm)
Jan 3, 2025
parse-uri Regular expression Denial of Service (ReDoS)
Moderate
CVE-2024-36751
was published
for
parse-uri
(npm)
Jan 16, 2025
KaTeX \htmlData does not validate attribute names
Moderate
CVE-2025-23207
was published
for
katex
(npm)
Jan 17, 2025
Websites were able to send any requests to the development server and read the response in vite
Moderate
CVE-2025-24010
was published
for
vite
(npm)
Jan 21, 2025
Infinite loop and Blind SSRF found inside the Webfinger mechanism in @fedify/fedify
Moderate
CVE-2025-23221
was published
for
@fedify/fedify
(npm)
Jan 21, 2025
XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
Moderate
CVE-2025-24012
was published
for
@umbraco-cms/backoffice
(npm)
Jan 21, 2025
Use of Insufficiently Random Values in undici
Moderate
CVE-2025-22150
was published
for
undici
(npm)
Jan 21, 2025
MathLive's Lack of Escaping of HTML allows for XSS
Moderate
CVE-2025-29049
was published
for
mathlive
(npm)
Jan 21, 2025
Directus allows privilege escalation using Share feature
Moderate
CVE-2025-24353
was published
for
@directus/app
(npm)
Jan 23, 2025
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Moderate
CVE-2025-24360
was published
for
@nuxt/vite-builder
(npm)
Jan 27, 2025
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Moderate
CVE-2025-24361
was published
for
@nuxt/rspack-builder
(npm)
Jan 27, 2025
ZX Allows Environment Variable Injection for dotenv API
Moderate
CVE-2025-24959
was published
for
zx
(npm)
Feb 3, 2025
Vitest browser mode serves arbitrary files
Moderate
CVE-2025-24963
was published
for
@vitest/browser
(npm)
Feb 4, 2025
esbuild enables any website to send any requests to the development server and read the response
Moderate
GHSA-67mh-4wv8-2f99
was published
for
esbuild
(npm)
Feb 10, 2025
Cross-site Scripting (XSS) in serialize-javascript
Moderate
CVE-2024-11831
was published
for
serialize-javascript
(npm)
Feb 10, 2025
DOMPurify allows Cross-site Scripting (XSS)
Moderate
CVE-2025-26791
was published
for
dompurify
(npm)
Feb 14, 2025
Vega allows Cross-site Scripting via the vlSelectionTuples function
Moderate
CVE-2025-25304
was published
for
vega
(npm)
Feb 14, 2025
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Moderate
CVE-2025-25285
was published
for
@octokit/endpoint
(npm)
Feb 14, 2025
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Moderate
CVE-2025-25288
was published
for
@octokit/plugin-paginate-rest
(npm)
Feb 14, 2025
ProTip!
Advisories are also available from the
GraphQL API