GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,757
Erlang
35
GitHub Actions
29
Go
2,327
Maven
5,000+
npm
3,960
NuGet
712
pip
3,741
Pub
12
RubyGems
921
Rust
973
Swift
38
Unreviewed advisories
All unreviewed
5,000+
22,787 advisories
Filter by severity
AngularJS Incomplete Filtering of Special Elements vulnerability
Moderate
CVE-2025-2336
was published
for
angular-sanitize
(npm)
Jun 4, 2025
kro Confused Deputy vulnerability
Moderate
CVE-2025-48710
was published
for
github.com/kro-run/kro
(Go)
Jun 4, 2025
Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language
Moderate
CVE-2025-35036
was published
for
org.hibernate.validator:hibernate-validator
(Maven)
Jun 3, 2025
Pekko Management may not properly apply authenticator when Basic Authentication enabled
Moderate
CVE-2025-46548
was published
for
com.lightbend.akka.management:akka-management_2.12
(Maven)
Jun 3, 2025
Erupt Unrestricted Upload of File with Dangerous Type vulnerability
Moderate
CVE-2025-45855
was published
for
xyz.erupt:erupt
(Maven)
Jun 3, 2025
Gokapi vulnerable to stored XSS via uploading file with malicious file name
Moderate
CVE-2025-48494
was published
for
github.com/forceu/gokapi
(Go)
Jun 3, 2025
Gokapi has stored XSS vulnerability in friendly name for API keys
Moderate
CVE-2025-48495
was published
for
github.com/forceu/gokapi
(Go)
Jun 3, 2025
tar-fs can extract outside the specified dir with a specific tarball
High
CVE-2025-48387
was published
for
tar-fs
(npm)
Jun 3, 2025
quic-go Has Panic in Path Probe Loss Recovery Handling
High
CVE-2025-29785
was published
for
github.com/quic-go/quic-go
(Go)
Jun 3, 2025
WSO2 products vulnerable to Cross-site Scripting
Moderate
CVE-2024-8008
was published
for
org.wso2.carbon.identity.framework:org.wso2.carbon.identity.user.store.configuration.ui
(Maven)
Jun 2, 2025
Grafana vulnerable to authenticated users bypassing dashboard, folder permissions
High
CVE-2025-3260
was published
for
github.com/grafana/grafana
(Go)
Jun 2, 2025
Grafana's datasource proxy API allows authorization checks to be bypassed
Moderate
CVE-2025-3454
was published
for
github.com/grafana/grafana
(Go)
Jun 2, 2025
Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization
Critical
CVE-2025-49113
was published
for
roundcube/roundcubemail
(Composer)
Jun 2, 2025
django-helpdesk Allows Sensitive Data Exposure
Moderate
CVE-2018-25111
was published
for
django-helpdesk
(pip)
May 31, 2025
Arrow2 allows out of bounds access in public safe API
High
GHSA-wv8j-m3hx-924j
was published
for
arrow2
(Rust)
May 30, 2025
Para Server Logs Sensitive Information
Moderate
CVE-2025-48955
was published
for
com.erudika:para-server
(Maven)
May 30, 2025
Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server
Moderate
CVE-2025-48938
was published
for
github.com/cli/go-gh/v2
(Go)
May 30, 2025
Mattermost fails to properly enforce access controls for guest users
Low
CVE-2025-1792
was published
for
github.com/mattermost/mattermost/server/v8
(Go)
May 30, 2025
Mattermost fails to clear Google OAuth credentials
Moderate
CVE-2025-2571
was published
for
github.com/mattermost/mattermost/server/v8
(Go)
May 30, 2025
Mattermost fails to properly invalidate personal access tokens upon user deactivation
Moderate
CVE-2025-3230
was published
for
github.com/mattermost/mattermost/server/v8
(Go)
May 30, 2025
Mattermost fails to properly enforce access control restrictions for System Manager roles
Low
CVE-2025-3611
was published
for
github.com/mattermost/mattermost/server/v8
(Go)
May 30, 2025
WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services
Moderate
CVE-2024-7096
was published
for
org.wso2.am:am-parent
(Maven)
May 30, 2025
Apache Superset: Improper authorization bypass on row level security via SQL Injection
High
CVE-2025-48912
was published
for
apache-superset
(pip)
May 30, 2025
Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies
High
CVE-2025-41235
was published
for
org.springframework.cloud:spring-cloud-gateway-server
(Maven)
May 30, 2025
Gradio Allows Unauthorized File Copy via Path Manipulation
Moderate
CVE-2025-48889
was published
for
gradio
(pip)
May 29, 2025
ProTip!
Advisories are also available from the
GraphQL API