Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,717
Maven
5,000+
npm
4,328
NuGet
761
pip
4,105
Pub
12
RubyGems
958
Rust
1,065
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,912 advisories

Loading
Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands High
CVE-2025-66623 was published for io.strimzi:strimzi (Maven) Dec 5, 2025
scholzj ppatierno
im-konge
Credited to scholzj, ppatierno, and im-konge
nitro-tpm-pcr-compute may allow kernel command line modification by an account operator Moderate
GHSA-xrv8-2pf5-f3q7 was published for nitro-tpm-pcr-compute (Rust) Dec 5, 2025
agraf mariusknaust
Credited to agraf and mariusknaust
yawkat LZ4 Java has a possible information leak in Java safe decompressor High
CVE-2025-66566 was published for at.yawk.lz4:lz4-java (Maven) Dec 5, 2025
simonresch
Credited to simonresch
Sigstore Timestamp Authority allocates excessive memory during request parsing High
CVE-2025-66564 was published for github.com/sigstore/timestamp-authority (Go) Dec 5, 2025
Fulcio allocates excessive memory during token parsing High
CVE-2025-66506 was published for github.com/sigstore/fulcio (Go) Dec 5, 2025
adeinega
Credited to adeinega
urllib3 streaming API improperly handles highly compressed data High
CVE-2025-66471 was published for urllib3 (pip) Dec 5, 2025
illia-v pquentin
sethmlarson Cycloctane stamparm
Credited to illia-v, pquentin, sethmlarson, Cycloctane, and stamparm
urllib3 allows an unbounded number of links in the decompression chain High
CVE-2025-66418 was published for urllib3 (pip) Dec 5, 2025
illia-v sethmlarson
pquentin
Credited to illia-v, sethmlarson, and pquentin
Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte Moderate
CVE-2025-66220 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao phlax
ggreenway yanavlasov agrawroh
Credited to botengyao, phlax, ggreenway, yanavlasov, and agrawroh
Envoy forwards early CONNECT data in TCP proxy mode Low
CVE-2025-64763 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao phlax
yanavlasov agrawroh
Credited to botengyao, phlax, yanavlasov, and agrawroh
Envoy crashes when JWT authentication is configured with the remote JWKS fetching Moderate
CVE-2025-64527 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao phlax
agrawroh yanavlasov
Credited to botengyao, phlax, agrawroh, and yanavlasov
Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF' High
CVE-2025-65959 was published for open-webui (npm) Dec 4, 2025
pyozzi-toss L2VE
Credited to pyozzi-toss and L2VE
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web High
CVE-2025-65958 was published for open-webui (pip) Dec 4, 2025
teolines
Credited to teolines
Logrus is vulnerable to DoS when using Entry.Writer() High
CVE-2025-65637 was published for github.com/sirupsen/logrus (Go) Dec 4, 2025
Apache Tika has XXE vulnerability Critical
CVE-2025-66516 was published for org.apache.tika:tika-core (Maven) Dec 4, 2025
ComposioHQ has a directory traversal vulnerability Moderate
CVE-2025-56427 was published for composio (pip) Dec 4, 2025
open-webui is Vulnerable to Incorrect Access Control Low
CVE-2025-63681 was published for open-webui (pip) Dec 4, 2025
libcrux incorrectly calculates on aarch64 High
GHSA-2cgv-28vr-rv6j was published for libcrux-intrinsics (Rust) Dec 4, 2025
Central Dogma's Login Function Has an Open Redirect Vulnerability Moderate
CVE-2025-11222 was published for com.linecorp.centraldogma:centraldogma-server-auth-shiro (Maven) Dec 4, 2025
minwoox
Credited to minwoox
Anthropic Sandbox Runtime Incorrectly Implemented Network Sandboxing Low
CVE-2025-66479 was published for @anthropic-ai/sandbox-runtime (npm) Dec 4, 2025
auth0/node-jws Improperly Verifies HMAC Signature High
CVE-2025-65945 was published for jws (npm) Dec 4, 2025
alexusmai laravel-file-manager is vulnerable to Directory Traversal via the unzip/extraction functionality High
CVE-2025-65346 was published for alexusmai/laravel-file-manager (Composer) Dec 4, 2025
Ansible Community General Collection is vulnerable to exposure of sensitive information Moderate
CVE-2025-14010 was published for ansible (pip) Dec 4, 2025
reanguiano
Credited to reanguiano
alexusmai laravel-file-manager is vulnerable to Directory Traversal Low
CVE-2025-65345 was published for alexusmai/laravel-file-manager (Composer) Dec 3, 2025
mcp-server-kubernetes has potential security issue in exec_in_pod tool Moderate
CVE-2025-66404 was published for mcp-server-kubernetes (npm) Dec 3, 2025
lavenderlilly
Credited to lavenderlilly
React Server Components are Vulnerable to RCE Critical
GHSA-fmh4-wr37-44fp was published for @vitejs/plugin-rsc (npm) Dec 3, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database