Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,870
Erlang
37
GitHub Actions
36
Go
2,500
Maven
5,000+
npm
4,147
NuGet
735
pip
3,948
Pub
12
RubyGems
945
Rust
1,025
Swift
39
Unreviewed advisories
All unreviewed
5,000+

1,109 advisories

Loading
WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled High
CVE-2025-54376 was published for github.com/SpectoLabs/hoverfly (Go) Sep 10, 2025
Kr1shna4garwal
Atlantis Exposes Service Version Publicly on /status API Endpoint Low
CVE-2025-58445 was published for github.com/runatlantis/atlantis (Go) Sep 5, 2025
matthewmrichter
Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15 Moderate
CVE-2015-7940 was published for org.bouncycastle:bcprov-jdk14 (Maven) Oct 17, 2018
Vite middleware may serve files starting with the same name with the public directory Low
CVE-2025-58751 was published for vite (npm) Sep 9, 2025
orihjfrog lukeed
Vite's `server.fs` settings were not applied to HTML files Low
CVE-2025-58752 was published for vite (npm) Sep 9, 2025
orihjfrog dominikg
TYPO3 CSV download feature information disclosure Moderate
CVE-2025-59019 was published for typo3/cms-backend (Composer) Sep 9, 2025
TYPO3 Workspaces Module Information Disclosure High
CVE-2025-59018 was published for typo3/cms-workspaces (Composer) Sep 9, 2025
Argo CD's Project API Token Exposes Repository Credentials Critical
CVE-2025-55190 was published for github.com/argoproj/argo-cd/v2 (Go) Sep 4, 2025
ntammineni5 34fathombelow
alexmt jannfis crenshaw-dev svghadi
@backstage/backend-app-api leaks GitLab access tokens High
CVE-2023-6944 was published for @backstage/backend-app-api (npm) Jan 4, 2024
Langchain Community Vulnerable to XML External Entity (XXE) Attacks High
CVE-2025-6984 was published for langchain-community (pip) Sep 4, 2025
Jenkins Git client Plugin file system information disclosure vulnerability Moderate
CVE-2025-58458 was published for org.jenkins-ci.plugins:git-client (Maven) Sep 3, 2025
Valtimo scripting engine can be used to gain access to sensitive data or resources Critical
CVE-2025-58059 was published for com.ritense.valtimo:core (Maven) Aug 28, 2025
Contao can disclose sensitive information in the news module Moderate
CVE-2025-57757 was published for contao/contao (Composer) Aug 28, 2025
fritzmg
Contao discloses sensitive information in the front end search index Moderate
CVE-2025-57756 was published for contao/contao (Composer) Aug 28, 2025
fritzmg
Opencast still publishes global system account credentials Moderate
CVE-2025-54380 was published for org.opencastproject:opencast-common (Maven) Jul 25, 2025
lkiesow
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs Moderate
CVE-2025-50738 was published for github.com/usememos/memos (Go) Jul 29, 2025
@musistudio/claude-code-router has improper CORS configuration High
CVE-2025-57755 was published for @musistudio/claude-code-router (npm) Aug 21, 2025
ttttmr
Information Disclosure in Amazon ECS Container Agent Moderate
CVE-2025-9039 was published for github.com/aws/amazon-ecs-agent (Go) Aug 14, 2025
Apache Superset data query improperly discloses database schema information to low-privileged guest user Moderate
CVE-2025-55673 was published for apache-superset (pip) Aug 14, 2025
MantisBT may disclose project names to unauthorized users Moderate
CVE-2023-44394 was published for mantisbt/mantisbt (Composer) Oct 17, 2023
The AuthKit Remix Library renders sensitive auth data in HTML High
CVE-2025-55009 was published for @workos-inc/authkit-remix (npm) Aug 8, 2025
The AuthKit React Router Library rendered sensitive auth data in HTML High
CVE-2025-55008 was published for @workos-inc/authkit-react-router (npm) Aug 8, 2025
OpenSearch unauthorized data access on fields protected by field level security if field is a member of an object Moderate
GHSA-2rjv-cv85-xhgm was published for org.opensearch.plugin:opensearch-security (Maven) Aug 1, 2025
OpenSearch unauthorized data access on fields protected by field masking for fields of type ip, geo_point, geo_shape, xy_point, xy_shape Moderate
GHSA-rrmm-wq7q-h4v5 was published for org.opensearch.plugin:opensearch-security (Maven) Aug 1, 2025
GitProxy Hidden Commits Injection High
CVE-2025-54586 was published for @finos/git-proxy (npm) Jul 30, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database