Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,743
Erlang
35
GitHub Actions
29
Go
2,315
Maven
5,000+
npm
3,949
NuGet
711
pip
3,729
Pub
12
RubyGems
920
Rust
965
Swift
38
Unreviewed advisories
All unreviewed
5,000+

8,012 advisories

Loading
Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata High
CVE-2025-46762 was published for org.apache.parquet:parquet-avro (Maven) May 6, 2025
Langroid Allows XXE Injection via XMLToolMessage High
CVE-2025-46726 was published for langroid (pip) May 5, 2025
SCH227
OpenVM allows the byte decomposition of pc in AUIPC chip to overflow High
CVE-2025-46723 was published for openvm (Rust) May 5, 2025
jonathanpwang
Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI High
CVE-2025-46731 was published for craftcms/cms (Composer) May 5, 2025
singetu0096
OPA server Data API HTTP path injection of Rego High
CVE-2025-46569 was published for github.com/open-policy-agent/opa (Go) May 1, 2025
GamrayW HyouKash
AdrienIT
Keycloak hostname verification High
CVE-2025-3501 was published for org.keycloak:keycloak-services (Maven) Apr 30, 2025
sharpedavid
Any user with view access to the XWiki space can change the authenticator High
CVE-2025-46557 was published for org.xwiki.platform:xwiki-platform-security-authentication-ui (Maven) Apr 30, 2025
Volcano Scheduler Denial of Service via Unbounded Response from Elastic Service/extender Plugin High
CVE-2025-32777 was published for volcano.sh/volcano (Go) Apr 30, 2025
kevin-wangzefeng Monokaix
AdamKorcz
Homograph attack allows Unicode lookalike characters to bypass validation. High
CVE-2025-27611 was published for base-x (npm) Apr 30, 2025
steveluscher john-s4d
Duplicate Advisory: Keycloak hostname verification High
GHSA-r934-w73g-v4p8 was published for org.keycloak:keycloak-services (Maven) Apr 29, 2025 withdrawn
Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements High
CVE-2025-46342 was published for github.com/kyverno/kyverno (Go) Apr 29, 2025
anbrsap
Data exposure via ZeroMQ on multi-node vLLM deployment High
CVE-2025-30202 was published for vllm (pip) Apr 29, 2025
russellb kexinoh
YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution High
CVE-2025-46347 was published for yeswiki/yeswiki (Composer) Apr 29, 2025
pizza-power
YesWiki Vulnerable to Unauthenticated Reflected Cross-site Scripting High
CVE-2025-46349 was published for yeswiki/yeswiki (Composer) Apr 29, 2025
Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed High
CVE-2025-22235 was published for org.springframework.boot:spring-boot (Maven) Apr 28, 2025
Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository High
CVE-2025-3642 was published for moodle/moodle (Composer) Apr 25, 2025
Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository High
CVE-2025-3641 was published for moodle/moodle (Composer) Apr 25, 2025
Moodle allows unauthenticated REST API user data exposure High
CVE-2025-32044 was published for moodle/moodle (Composer) Apr 25, 2025
Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks High
CVE-2023-32198 was published for github.com/rancher/steve (Go) Apr 25, 2025
Rancher users who can create Projects can gain access to arbitrary projects High
CVE-2024-22031 was published for github.com/rancher/rancher (Go) Apr 25, 2025
AnonySE26
React Router allows pre-render data spoofing on React-Router framework mode High
CVE-2025-43865 was published for react-router (npm) Apr 24, 2025
cold-try mhassan1
React Router allows a DoS via cache poisoning by forcing SPA mode High
CVE-2025-43864 was published for react-router (npm) Apr 24, 2025
cold-try
tRPC 11 WebSocket DoS Vulnerability High
CVE-2025-43855 was published for @trpc/server (npm) Apr 24, 2025
lukechilds
Apache HttpClient disables domain checks High
CVE-2025-27820 was published for org.apache.httpcomponents.client5:httpclient5 (Maven) Apr 24, 2025
PostHog Plugin Server SQL Injection Vulnerability High
CVE-2025-1520 was published for @posthog/plugin-server (npm) Apr 23, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database