Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,926
Erlang
39
GitHub Actions
38
Go
2,576
Maven
5,000+
npm
4,246
NuGet
754
pip
4,008
Pub
12
RubyGems
953
Rust
1,045
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,320 advisories

Loading
Direct Ring Buffer has uninitialized memory exposure in create_ring_buffer Low
GHSA-fp5x-7m4q-449f was published for direct_ring_buffer (Rust) Oct 21, 2025
orx-pinned-vec has undefined behavior in index_of_ptr with empty slices Low
GHSA-h5j3-crg5-8jqm was published for orx-pinned-vec (Rust) Oct 21, 2025
Nautobot Single Source of Truth (SSoT) has an unauthenticated ServiceNow configuration URL Moderate
CVE-2025-62607 was published for nautobot-ssot (pip) Oct 21, 2025
gsnider2195 smk4664
jdrew82
Credited to gsnider2195, smk4664, and jdrew82
code16 Sharp vulnerable to Cross Site Scripting (XSS) Moderate
CVE-2025-61457 was published for code16/sharp (Composer) Oct 21, 2025
Liferay Portal reflected cross-site scripting (XSS) vulnerability in the google_gaget Moderate
CVE-2025-62249 was published for com.liferay.portal:com.liferay.portal.impl (Maven) Oct 21, 2025
NeuVector is shipping cryptographic material into its binary Moderate
CVE-2025-54471 was published for github.com/neuvector/neuvector (Go) Oct 21, 2025
NeuVector telemetry sender is vulnerable to MITM and DoS High
CVE-2025-54470 was published for https://github.com/neuvector/neuvector (Go) Oct 21, 2025
NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow Critical
CVE-2025-54469 was published for github.com/neuvector/neuvector (Go) Oct 21, 2025
uv has differential in tar extraction with PAX headers Low
GHSA-w476-p2h3-79g9 was published for uv (pip) Oct 21, 2025
woodruffw zanieb
Credited to woodruffw and zanieb
Liferay Portal fails to verify messages from the cluster network is trusted Moderate
CVE-2025-62250 was published for com.liferay:com.liferay.portal.cluster.multiple (Maven) Oct 21, 2025
ProcessWire CMS vulnerable to resource-exhaustion Denial of Service Moderate
CVE-2025-60790 was published for processwire/processwire (Composer) Oct 21, 2025
Cosmos EVM Vulnerability Critical
GHSA-8pfh-j44r-f654 was published for github.com/cosmos/evm (Go) Oct 21, 2025
Shopware Customer Orders can be canceled, even if refunds are disabled Moderate
GHSA-r2vg-hvjm-fg38 was published for shopware/core (Composer) Oct 21, 2025
aragon999
Credited to aragon999
Shopware exposes sensitive user information via CSV export mapping Moderate
GHSA-27c9-vp3w-6ww8 was published for shopware/core (Composer) Oct 21, 2025
larskemper
Credited to larskemper
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice Low
GHSA-3cpp-fv95-mpr5 was published for shopware/core (Composer) Oct 21, 2025
larskemper
Credited to larskemper
Shopware vulnerable to path traversal via Plugin upload Low
GHSA-6wh5-mw9h-5c3w was published for shopware/core (Composer) Oct 21, 2025
Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually Moderate
GHSA-m895-2hj3-8cg9 was published for shopware/core (Composer) Oct 21, 2025
JoshuaBehrens
Credited to JoshuaBehrens
astral-tokio-tar Vulnerable to PAX Header Desynchronization High
CVE-2025-62518 was published for astral-tokio-tar (Rust) Oct 21, 2025
woodruffw tycho
azenla anners mnm678 zanieb
Credited to woodruffw, tycho, azenla, anners, mnm678, and zanieb
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic Moderate
CVE-2025-62595 was published for koa (npm) Oct 21, 2025
haymizrachi
Credited to haymizrachi
Taguette vulnerable to cross-site scripting via tag name, tag description, document name and document description Moderate
CVE-2025-62528 was published for taguette (pip) Oct 20, 2025
emilvirkki
Credited to emilvirkki
Taguette password reset link poisoning High
CVE-2025-62527 was published for taguette (pip) Oct 20, 2025
emilvirkki
Credited to emilvirkki
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read Moderate
GHSA-vffh-c9pq-4crh was published for uptime-kuma (npm) Oct 20, 2025
TriangleSnake
Credited to TriangleSnake
vite allows server.fs.deny bypass via backslash on Windows Moderate
CVE-2025-62522 was published for vite (npm) Oct 20, 2025
minhnb11 bluwy
Credited to minhnb11 and bluwy
NetBird VPN does not remove the default password of an admin account Critical
CVE-2025-10678 was published for github.com/netbirdio/netbird (Go) Oct 20, 2025
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers Moderate
GHSA-xvp7-8vm8-xfxx was published for @actual-app/sync-server (npm) Oct 20, 2025
StoobertB
Credited to StoobertB
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database