Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,699
Erlang
34
GitHub Actions
28
Go
2,292
Maven
5,000+
npm
3,941
NuGet
708
pip
3,708
Pub
12
RubyGems
919
Rust
959
Swift
38
Unreviewed advisories
All unreviewed
5,000+

1,238 advisories

Loading
Cocotais Bot has builtin .echo command injection Moderate
CVE-2025-47948 was published for cocotais-bot (npm) May 19, 2025
Destroyed-Dream
lockfile-lint-api Vulnerable to Incorrect Behavior Order Moderate
CVE-2025-4759 was published for lockfile-lint-api (npm) May 16, 2025
Meteor Affected By Inefficient Regular Expression Complexity Moderate
CVE-2025-4727 was published for meteor (npm) May 16, 2025
Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data Moderate
CVE-2025-47204 was published for bootstrap-multiselect (npm) May 13, 2025
@lumieducation/h5p-server Fails to Sanitize Plain Text Strings Moderate
CVE-2025-47828 was published for @lumieducation/h5p-server (npm) May 11, 2025
@misskey-dev/summaly allows IP Filter Bypass via Redirect Moderate
GHSA-jqx4-9gpq-rppm was published for @misskey-dev/summaly (npm) May 6, 2025
warriordog
Information Disclosure via Flags override link Moderate
CVE-2025-46332 was published for @vercel/flags (npm) May 2, 2025
@cloudflare/workers-oauth-provider PKCE bypass via downgrade attack Moderate
CVE-2025-4144 was published for @cloudflare/workers-oauth-provider (npm) May 1, 2025
@cloudflare/workers-oauth-provider missing validation of redirect_uri on authorize endpoint Moderate
CVE-2025-4143 was published for @cloudflare/workers-oauth-provider (npm) May 1, 2025
Duplicate Advisory: @cloudflare/workers-oauth-provider missing validation of redirect_uri on authorize endpoint Moderate
GHSA-7cp4-jw97-3rc2 was published for @cloudflare/workers-oauth-provider (npm) May 1, 2025 withdrawn
Duplicate Advisory: @cloudflare/workers-oauth-provider PKCE bypass via downgrade attack Moderate
GHSA-vh4h-fvqf-q9wv was published for @cloudflare/workers-oauth-provider (npm) May 1, 2025 withdrawn
Vite's server.fs.deny bypassed with /. for files under project root Moderate
CVE-2025-46565 was published for vite (npm) Apr 30, 2025
chienhm
Auth0 NextJS SDK v4 Missing Session Invalidation Moderate
CVE-2025-46344 was published for @auth0/nextjs-auth0 (npm) Apr 29, 2025
@account-kit/smart-contracts Allowlist Module Bypass Vulnerability Moderate
GHSA-wfm2-rq5g-f8v5 was published for @account-kit/smart-contracts (npm) Apr 29, 2025
howydev
n8n Vulnerable to Stored XSS through Attachments View Endpoint Moderate
CVE-2025-46343 was published for n8n (npm) Apr 28, 2025
Mahmoud0x00
GraphQL Armor Cost-Limit Plugin Bypass via Introspection Query Obfuscation Moderate
GHSA-733v-p3h5-qpq7 was published for @escape.tech/graphql-armor-cost-limit (npm) Apr 25, 2025
M0ngi EvertEt
pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting Moderate
CVE-2024-47829 was published for pnpm (npm) Apr 23, 2025
kexinoh
QMarkdown Cross-Site Scripting (XSS) vulnerability Moderate
CVE-2025-43954 was published for @quasar/quasar-ui-qmarkdown (npm) Apr 20, 2025
Permission policy information leakage in Backstage permission system Moderate
CVE-2025-32791 was published for @backstage/plugin-permission-backend (npm) Apr 16, 2025
jquery-validation vulnerable to Cross-site Scripting Moderate
CVE-2025-3573 was published for jquery-validation (npm) Apr 15, 2025
http-proxy-middleware can call writeBody twice because "else if" is not used Moderate
CVE-2025-32996 was published for http-proxy-middleware (npm) Apr 15, 2025
sealonohana
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed Moderate
CVE-2025-32997 was published for http-proxy-middleware (npm) Apr 15, 2025
sealonohana
@sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params Moderate
CVE-2025-32388 was published for @sveltejs/kit (npm) Apr 14, 2025
kkarikos Rich-Harris
dominikg dummdidumm
Directus inserts access token from query string into logs Moderate
CVE-2024-47822 was published for @directus/api (npm) Apr 14, 2025
licitdev
Vite has an `server.fs.deny` bypass with an invalid `request-target` Moderate
CVE-2025-32395 was published for vite (npm) Apr 11, 2025
do9gy-msec sw0rd1ight
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database