Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,670
Maven
5,000+
npm
4,296
NuGet
760
pip
4,075
Pub
12
RubyGems
957
Rust
1,058
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,730 advisories

Loading
thread-amount Vulnerable to Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS High
CVE-2025-65947 was published for thread-amount (Rust) Nov 21, 2025
jzeuzs
Credited to jzeuzs
SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results Low
CVE-2025-65111 was published for github.com/authzed/spicedb (Go) Nov 21, 2025
MLX has Wild Pointer Dereference in load_gguf() Moderate
CVE-2025-62609 was published for mlx (pip) Nov 21, 2025
wickgit mmudryi
markiyanch
Credited to wickgit, mmudryi, and markiyanch
MLX has heap-buffer-overflow in load() Moderate
CVE-2025-62608 was published for mlx (pip) Nov 21, 2025
wickgit mmudryi
markiyanch
Credited to wickgit, mmudryi, and markiyanch
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default High
CVE-2025-13357 was published for github.com/hashicorp/terraform-provider-vault (Go) Nov 21, 2025
Grafana Incorrect Privilege Assignment vulnerability Critical
CVE-2025-41115 was published for github.com/grafana/grafana (Go) Nov 21, 2025
cdupuis
Credited to cdupuis
OpenFGA Improper Policy Enforcement Moderate
CVE-2025-64751 was published for github.com/openfga/openfga (Go) Nov 20, 2025
Minder does not sandbox http.send in Rego programs High
GHSA-6xvf-4vh9-mw47 was published for github.com/mindersec/minder (Go) Nov 20, 2025
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage Moderate
CVE-2025-63700 was published for @clerk/clerk-js (npm) Nov 20, 2025
authkit-nextjs may let session cookies be cached in CDNs High
CVE-2025-64762 was published for @workos-inc/authkit-nextjs (npm) Nov 20, 2025
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes High
CVE-2025-64755 was published for @anthropic-ai/claude-code (npm) Nov 20, 2025
vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs` Moderate
CVE-2025-62426 was published for vllm (pip) Nov 20, 2025
russellb Isotr0py
DarkLight1337
Credited to russellb, Isotr0py, and DarkLight1337
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs High
CVE-2025-62372 was published for vllm (pip) Nov 20, 2025
DarkLight1337 ywang96
Isotr0py russellb
Credited to DarkLight1337, ywang96, Isotr0py, and russellb
vLLM deserialization vulnerability leading to DoS and potential RCE High
CVE-2025-62164 was published for vllm (pip) Nov 20, 2025
omriaxion russellb
DarkLight1337 Isotr0py ywang96
Credited to omriaxion, russellb, DarkLight1337, Isotr0py, and ywang96
zx Uses Incorrectly-Resolved Name or Reference Moderate
CVE-2025-13437 was published for zx (npm) Nov 20, 2025
Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow Moderate
CVE-2025-64027 was published for snipe/snipe-it (Composer) Nov 20, 2025
OSV-SCALIBR has NULL Pointer Dereference Low
CVE-2025-13425 was published for github.com/google/osv-scalibr (Go) Nov 20, 2025
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter Critical
CVE-2025-65108 was published for md-to-pdf (npm) Nov 20, 2025
Prodigysec
Credited to Prodigysec
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates High
CVE-2025-65106 was published for langchain-core (pip) Nov 20, 2025
0xn3va
Credited to 0xn3va
@hpke/core reuses AEAD nonces Critical
CVE-2025-64767 was published for @hpke/core (npm) Nov 20, 2025
panva
Credited to panva
@perfood/couch-auth may expose session tokens, passwords Moderate
CVE-2025-60794 was published for @perfood/couch-auth (npm) Nov 20, 2025
phppgadmin contains an incorrect access control vulnerability Moderate
CVE-2025-60799 was published for phppgadmin/phppgadmin (Composer) Nov 20, 2025
phppgadmin contains a SQL injection vulnerability Moderate
CVE-2025-60798 was published for phppgadmin/phppgadmin (Composer) Nov 20, 2025
Resty has a Path Traversal vulnerability Low
CVE-2025-13435 was published for cn.dreampie:resty (Maven) Nov 20, 2025
phppgadmin contains a SQL injection vulnerability Moderate
CVE-2025-60797 was published for phppgadmin/phppgadmin (Composer) Nov 20, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database