Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,781
Maven
5,000+
npm
4,386
NuGet
772
pip
4,164
Pub
12
RubyGems
965
Rust
1,073
Swift
45
Unreviewed advisories
All unreviewed
5,000+

220 advisories

Loading
Temporal has a namespace policy bypass allowing requests to be authorized for incorrect contexts Low
CVE-2025-14986 was published for go.temporal.io/server (Go) Dec 30, 2025
SQLE's JWT Secret Handler can be manipulated to use hard-coded cryptographic key Low
CVE-2025-15107 was published for github.com/actiontech/sqle (Go) Dec 27, 2025
Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. Low
CVE-2025-68940 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Mattermost has missing redirect URL validation Low
CVE-2025-62690 was published for github.com/mattermost/mattermost (Go) Dec 17, 2025
Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection Low
CVE-2025-13352 was published for github.com/mattermost/mattermost (Go) Dec 17, 2025
Envoy forwards early CONNECT data in TCP proxy mode Low
CVE-2025-64763 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao phlax
yanavlasov agrawroh chasingimpact
Credited to botengyao, phlax, yanavlasov, agrawroh, and chasingimpact
Mattermost fails to validate user permissions in Boards Low
CVE-2025-13870 was published for github.com/mattermost/mattermost (Go) Dec 2, 2025
VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM Low
CVE-2025-65942 was published for github.com/VictoriaMetrics/VictoriaMetrics (Go) Nov 25, 2025
hoang-prod
Credited to hoang-prod
SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results Low
CVE-2025-65111 was published for github.com/authzed/spicedb (Go) Nov 21, 2025
OSV-SCALIBR has NULL Pointer Dereference Low
CVE-2025-13425 was published for github.com/google/osv-scalibr (Go) Nov 20, 2025
Mattermost allows other users to determine when users had read channels via channel member objects Low
CVE-2025-55074 was published for github.com/mattermost/mattermost-server (Go) Nov 18, 2025
Mattermost allows regular users to access archived channel content and files Low
CVE-2025-41436 was published for github.com/mattermost/mattermost-server (Go) Nov 14, 2025
SpiceDB WriteRelationships fails silently if payload is too big Low
CVE-2025-64529 was published for github.com/authzed/spicedb (Go) Nov 13, 2025
Mattermost Incorrect Authorization vulnerability Low
CVE-2025-11777 was published for github.com/mattermost/mattermost (Go) Nov 13, 2025
OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses Low
GHSA-w2jf-268q-mrvh was published for github.com/opentofu/opentofu (Go) Nov 6, 2025
Apache Traffic Control has an Inefficient Regular Expression Complexity vulnerability Low
CVE-2025-61581 was published for github.com/apache/trafficcontrol/v8 (Go) Oct 16, 2025
Mattermost has an Incorrect Authorization vulnerability Low
CVE-2025-10545 was published for github.com/mattermost/mattermost-server (Go) Oct 16, 2025
Mattermost has an Observable Timing Discrepancy vulnerability Low
CVE-2025-54499 was published for github.com/mattermost/mattermost-server (Go) Oct 16, 2025
vet MCP Server SSE Transport DNS Rebinding Vulnerability Low
CVE-2025-59163 was published for github.com/safedep/vet (Go) Sep 29, 2025
eharris128
Credited to eharris128
kcp is missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual Workspace Low
GHSA-q6hv-wcjr-wp8h was published for github.com/kcp-dev/kcp (Go) Sep 26, 2025
SimonTheLeg embik
Credited to SimonTheLeg and embik
Omni Wireguard SideroLink potential escape Low
CVE-2025-59824 was published for github.com/siderolabs/omni (Go) Sep 24, 2025
smira Unix4ever
Credited to smira and Unix4ever
Mattermost boards plugin fails to restrict download access to files Low
CVE-2025-9081 was published for github.com/mattermost/mattermost-plugin-boards (Go) Sep 19, 2025
Dragonfly's directories created via os.MkdirAll are not checked for permissions Low
CVE-2025-59349 was published for d7y.io/dragonfly/v2 (Go) Sep 17, 2025
gaius-qi
Credited to gaius-qi
Mattermost Open Redirect vulnerability Low
CVE-2025-9084 was published for github.com/mattermost/mattermost-server (Go) Sep 15, 2025
Atlantis Exposes Service Version Publicly on /status API Endpoint Low
CVE-2025-58445 was published for github.com/runatlantis/atlantis (Go) Sep 5, 2025
matthewmrichter
Credited to matthewmrichter
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database