Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,870
Erlang
36
GitHub Actions
36
Go
2,493
Maven
5,000+
npm
4,126
NuGet
735
pip
3,943
Pub
12
RubyGems
945
Rust
1,021
Swift
39
Unreviewed advisories
All unreviewed
5,000+

152 advisories

Loading
interactive-git-checkout has a Command Injection vulnerability Critical
CVE-2025-59046 was published for interactive-git-checkout (npm) Sep 10, 2025
lirantal
@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API Critical
CVE-2025-54994 was published for @akoskm/create-mcp-server-stdio (npm) Sep 8, 2025
lirantal
Improper Neutralization of Special Elements used in a Command in Shell-quote Critical
CVE-2021-42740 was published for shell-quote (npm) May 24, 2022
MyTrueWallet kurt-r2c
jwilk levpachmanov
CodeceptJS's incomprehensive sanitation can lead to Command Injection Critical
CVE-2025-57285 was published for codeceptjs (npm) Sep 8, 2025
Active Storage allowed transformation methods that were potentially unsafe Critical
CVE-2025-24293 was published for activestorage (RubyGems) Aug 14, 2025
th4s1s
screenshot-desktop vulnerable to command Injection via `format` option Critical
CVE-2025-55294 was published for screenshot-desktop (npm) Aug 19, 2025
RichardoC bencevans
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers Critical
CVE-2025-54782 was published for @nestjs/devtools-integration (npm) Aug 1, 2025
JLLeitschuh
tj-actions/branch-names has a Command Injection Vulnerability Critical
CVE-2025-54416 was published for tj-actions/branch-names (GitHub Actions) Jul 25, 2025
tutasla
Apache Kylin vulnerable to remote code execution Critical
CVE-2022-24697 was published for org.apache.kylin:kylin-core-common (Maven) Jul 6, 2023
goshs route not protected, allows command execution Critical
CVE-2025-46816 was published for github.com/patrickhener/goshs (Go) May 6, 2025
Guilhem7
YoutubeDLSharp allows command injection on windows system due to non sanitized arguments Critical
CVE-2025-43858 was published for YoutubeDLSharp (NuGet) Apr 23, 2025
kitsumed alxnull
cycle-import-check vulnerable to Command Injection Critical
CVE-2022-24377 was published for cycle-import-check (npm) Dec 14, 2022
Duplicate Advisory: D-Tale Command Injection vulnerability Critical
CVE-2025-0655 was published for dtale (pip) Mar 20, 2025 withdrawn
Remote code execution in PHPMailer Critical
CVE-2016-10033 was published for phpmailer/phpmailer (Composer) Mar 5, 2020
Remote code execution in PHPMailer Critical
CVE-2016-10045 was published for phpmailer/phpmailer (Composer) Mar 5, 2020
SurrealDB server-takeover via SurrealQL injection on backup import Critical
GHSA-ccj3-5p93-8p42 was published for surrealdb (Rust) Apr 11, 2025
cure53
exec-local-bin vulnerable to Command Injection Critical
CVE-2022-25923 was published for exec-local-bin (npm) Jan 6, 2023
PlotAI eval vulnerability Critical
CVE-2025-1497 was published for plotai (pip) Mar 10, 2025
global-modules-path Command Injection vulnerability Critical
CVE-2022-21191 was published for global-modules-path (npm) Jan 13, 2023
Command Injection in create-choo-electron Critical
CVE-2022-25908 was published for create-choo-electron (npm) Jan 26, 2023
Command injection in vagrant.js Critical
CVE-2022-25962 was published for vagrant.js (npm) Jan 26, 2023
Withdrawn Advisory: Dask Vulnerable to Command Injection Critical
CVE-2024-10096 was published for dask (pip) Mar 20, 2025 withdrawn
krishanbhasin-px
Command Injection in thorsten/phpmyfaq Critical
CVE-2023-0789 was published for thorsten/phpmyfaq (Composer) Feb 12, 2023
Horovod Vulnerable to Command Injection Critical
CVE-2024-10190 was published for horovod (pip) Mar 20, 2025
Grafana Command Injection And Local File Inclusion Via Sql Expressions Critical
CVE-2024-9264 was published for github.com/grafana/grafana (Go) Oct 18, 2024
Malayke
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database