Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,737
Maven
5,000+
npm
4,337
NuGet
764
pip
4,112
Pub
12
RubyGems
960
Rust
1,068
Swift
45
Unreviewed advisories
All unreviewed
5,000+

8,675 advisories

Loading
LangGraph's SQLite is vulnerable to SQL injection via metadata filter key in SQLite checkpointer list method High
GHSA-9rwj-6rc7-p77c was published for langgraph-checkpoint-sqlite (pip) Dec 10, 2025
VladimirEliTokarev yardenporat353
Credited to VladimirEliTokarev and yardenporat353
Shopware Storefront Reflected XSS in Storefront Login Page High
GHSA-6w82-v552-wjw2 was published for shopware/shopware (Composer) Dec 9, 2025
NielDuysters
Credited to NielDuysters
Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE) High
CVE-2025-67509 was published for neuron-core/neuron-ai (Composer) Dec 9, 2025
siewer
Credited to siewer
Filament multi-factor authentication (app) recovery codes can be used multiple times High
CVE-2025-67507 was published for filament/filament (Composer) Dec 9, 2025
JaZo danharrin
Credited to JaZo and danharrin
SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin High
GHSA-4r66-7rcv-x46x was published for github.com/siyuan-note/siyuan/kernel (Go) Dec 9, 2025
sebastianosrt
Credited to sebastianosrt
SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE High
CVE-2025-67488 was published for github.com/siyuan-note/siyuan/kernel (Go) Dec 9, 2025
MrRauL124
Credited to MrRauL124
RCE via ZipSlip and symbolic links in argoproj/argo-workflows High
CVE-2025-66626 was published for github.com/argoproj/argo-workflows (Go) Dec 9, 2025
cristianstaicu meenakshisl
Credited to cristianstaicu and meenakshisl
Elysia affected by arbitrary code injection through cookie config High
CVE-2025-66457 was published for elysia (npm) Dec 9, 2025
sportshead
Credited to sportshead
NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read High
CVE-2025-66645 was published for nicegui (pip) Dec 9, 2025
y4rvin evnchn
falkoschindler
Credited to y4rvin, evnchn, and falkoschindler
Babylon Nil BlockHash in BLS vote extensions triggers panics in consensus handlers High
GHSA-m6wq-66p2-c8pc was published for github.com/babylonlabs-io/babylon (Go) Dec 8, 2025
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login High
CVE-2025-67495 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
amit-laish livio-a
Credited to amit-laish and livio-a
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login High
GHSA-pfrf-9r5f-73f5 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
amit-laish livio-a
Credited to amit-laish and livio-a
Csla affected by Remote Code Execution via WcfProxy (NetDataContractSerializer) High
CVE-2025-66631 was published for Csla (NuGet) Dec 8, 2025
rockfordlhotka Outurnate
Credited to rockfordlhotka and Outurnate
Critical Use-After-Free in Wasmi's Linear Memory High
CVE-2025-66627 was published for wasmi (Rust) Dec 8, 2025
memos vulnerability allows the creation of arbitrary accounts High
CVE-2025-65795 was published for github.com/usememos/memos (Go) Dec 8, 2025
1Panel – CAPTCHA Bypass via Client-Controlled Flag High
CVE-2025-66507 was published for github.com/1Panel-dev/1Panel (Go) Dec 8, 2025
aliyevmursal
Credited to aliyevmursal
Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands High
CVE-2025-66623 was published for io.strimzi:strimzi (Maven) Dec 5, 2025
scholzj ppatierno
im-konge
Credited to scholzj, ppatierno, and im-konge
yawkat LZ4 Java has a possible information leak in Java safe decompressor High
CVE-2025-66566 was published for at.yawk.lz4:lz4-java (Maven) Dec 5, 2025
simonresch
Credited to simonresch
Sigstore Timestamp Authority allocates excessive memory during request parsing High
CVE-2025-66564 was published for github.com/sigstore/timestamp-authority (Go) Dec 5, 2025
Fulcio allocates excessive memory during token parsing High
CVE-2025-66506 was published for github.com/sigstore/fulcio (Go) Dec 5, 2025
adeinega
Credited to adeinega
urllib3 streaming API improperly handles highly compressed data High
CVE-2025-66471 was published for urllib3 (pip) Dec 5, 2025
illia-v pquentin
sethmlarson Cycloctane stamparm
Credited to illia-v, pquentin, sethmlarson, Cycloctane, and stamparm
urllib3 allows an unbounded number of links in the decompression chain High
CVE-2025-66418 was published for urllib3 (pip) Dec 5, 2025
illia-v sethmlarson
pquentin
Credited to illia-v, sethmlarson, and pquentin
Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF' High
CVE-2025-65959 was published for open-webui (npm) Dec 4, 2025
pyozzi-toss L2VE
Credited to pyozzi-toss and L2VE
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web High
CVE-2025-65958 was published for open-webui (pip) Dec 4, 2025
teolines
Credited to teolines
Logrus is vulnerable to DoS when using Entry.Writer() High
CVE-2025-65637 was published for github.com/sirupsen/logrus (Go) Dec 4, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database