Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,717
Maven
5,000+
npm
4,328
NuGet
761
pip
4,105
Pub
12
RubyGems
958
Rust
1,065
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,912 advisories

Loading
Grav is vulnerable to a DOS on the admin panel Moderate
CVE-2025-66303 was published for getgrav/grav (Composer) Dec 2, 2025
alix41dsec
Credited to alix41dsec
Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions High
CVE-2025-66301 was published for getgrav/grav (Composer) Dec 2, 2025
nakkouchtarek
Credited to nakkouchtarek
Grav is vulnerable to Arbitrary File Read High
CVE-2025-66300 was published for getgrav/grav (Composer) Dec 2, 2025
thanayut1750
Credited to thanayut1750
Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection) High
CVE-2025-66299 was published for getgrav/grav (Composer) Dec 2, 2025
justwove
Credited to justwove
Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover High
CVE-2025-66296 was published for getgrav/grav (Composer) Dec 2, 2025
NicatAliyevh
Credited to NicatAliyevh
Keycloak has debug default bind address Moderate
CVE-2025-11538 was published for org.keycloak:keycloak-quarkus-dist (Maven) Dec 2, 2025
Snipe-IT allows stored XSS via the Locations "Country" field Moderate
CVE-2025-65622 was published for snipe/snipe-it (Composer) Dec 2, 2025
maxminddb's `Reader::open_mmap` unsoundly marks unsafe memmap operation as safe Low
GHSA-mj73-j457-8x9q was published for maxminddb (Rust) Dec 2, 2025
Werkzeug safe_join() allows Windows special device names Moderate
CVE-2025-66221 was published for werkzeug (pip) Dec 2, 2025
Oblivionsage
Credited to Oblivionsage
rtvm-interpreter lacks sufficient checks in public API Low
GHSA-pq5v-rwp8-p7gm was published for rtvm-interpreter (Rust) Dec 2, 2025
Mattermost fails to validate user permissions when deleting comments in Boards Moderate
CVE-2025-12756 was published for github.com/mattermost/mattermost (Go) Dec 1, 2025
Snipe-IT is vulnerable to stored cross-site scripting Moderate
CVE-2025-65621 was published for snipe/snipe-it (Composer) Dec 1, 2025
Better Auth affected by external request basePath modification DoS Low
GHSA-569q-mpph-wgww was published for better-auth (npm) Dec 1, 2025
goksan
Credited to goksan
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls Low
GHSA-rcmh-qjqh-p98v was published for nodemailer (npm) Dec 1, 2025
uko3211
Credited to uko3211
Spotipy has a XSS vulnerability in its OAuth callback server Low
CVE-2025-66040 was published for spotipy (pip) Dec 1, 2025
yueyueL
Credited to yueyueL
fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib Moderate
CVE-2025-66034 was published for fonttools (pip) Dec 1, 2025
ntandiono vk-can
Credited to ntandiono and vk-can
Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic Moderate
CVE-2025-64715 was published for Ciliumgithub.com/cilium/cilium (Go) Dec 1, 2025
SeanEmac fristonio
Credited to SeanEmac and fristonio
XWiki Jetty Package (XJetty) allows accessing any application file through URL High
CVE-2025-55749 was published for org.xwiki.platform:xwiki-platform-tool-jetty-resources (Maven) Dec 1, 2025
Withdrawn Advisory: express improperly controls modification of query properties Low
CVE-2024-51999 was published for express (npm) Dec 1, 2025 withdrawn
ctcpip wesleytodd
jonchurch bjohansebas UlisesGascon
Credited to ctcpip, wesleytodd, jonchurch, bjohansebas, and UlisesGascon
Apache Struts is Vulnerable to DoS via File Leak High
CVE-2025-64775 was published for org.apache.struts:struts2-core (Maven) Dec 1, 2025
FeehiCMS is vulnerable to cross-site scripting via the id parameter of the User Update function Moderate
CVE-2025-63520 was published for feehi/feehicms (Composer) Dec 1, 2025
FeehiCMS fails to enforce server-side immutability Moderate
CVE-2025-63523 was published for feehi/feehicms (Composer) Dec 1, 2025
FeehiCMS is vulnerable to reverse tabnabbing Moderate
CVE-2025-63522 was published for feehi/feehicms (Composer) Dec 1, 2025
NutzBoot vulnerable to information disclosure Low
CVE-2025-13804 was published for org.nutz:nutzboot-parent (Maven) Dec 1, 2025
NutzBoot vulnerable to deserialization Low
CVE-2025-13805 was published for org.nutz:nutzboot-parent (Maven) Dec 1, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database