Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,767
Maven
5,000+
npm
4,374
NuGet
770
pip
4,148
Pub
12
RubyGems
963
Rust
1,070
Swift
45
Unreviewed advisories
All unreviewed
5,000+

25,127 advisories

Loading
LangChain serialization injection vulnerability enables secret extraction High
CVE-2025-68665 was published for @langchain/core (npm) Dec 23, 2025
ccurme mdrxy
0xn3va yardenporat353 VladimirEliTokarev hntrl siewer jacoblee93
Credited to ccurme, mdrxy, 0xn3va, yardenporat353, VladimirEliTokarev, hntrl, siewer, and jacoblee93
httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage High
CVE-2025-68696 was published for httparty (RubyGems) Dec 23, 2025
lambdasawa
Credited to lambdasawa
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs Critical
CVE-2025-68664 was published for langchain-core (pip) Dec 23, 2025
0xn3va yardenporat353
VladimirEliTokarev eyurtsev ccurme mdrxy hntrl
Credited to 0xn3va, yardenporat353, VladimirEliTokarev, eyurtsev, ccurme, mdrxy, and hntrl
Cadmium CMS has a background arbitrary file upload vulnerability High
CVE-2025-51511 was published for cadmium-org/cadmium-cms (Composer) Dec 23, 2025
Home Assistant Core before is vulnerable to Directory Traversal Moderate
CVE-2025-65713 was published for homeassistant (pip) Dec 23, 2025
LibreNMS Alert Rule API Cross-Site Scripting Vulnerability Moderate
CVE-2025-68614 was published for librenms/librenms (Composer) Dec 23, 2025
zdi-disclosures
Credited to zdi-disclosures
Local Deep Research is Vulnerable to Server-Side Request Forgery (SSRF) in Download Service Moderate
CVE-2025-67743 was published for local-deep-research (pip) Dec 23, 2025
yueyueL
Credited to yueyueL
Fedify has ReDoS Vulnerability in HTML Parsing Regex High
CVE-2025-68475 was published for @fedify/fedify (npm) Dec 22, 2025
yueyueL
Credited to yueyueL
Piranha has stored cross-site scripting (XSS) vulnerability Low
CVE-2025-67290 was published for Piranha (NuGet) Dec 22, 2025
Umbraco CMS has an arbitrary file upload vulnerability Moderate
CVE-2025-67288 was published for Umbraco.Cms (NuGet) Dec 22, 2025
Piranha has stored cross-site scripting (XSS) vulnerability Low
CVE-2025-67291 was published for Piranha (NuGet) Dec 22, 2025
Marshmallow has DoS in Schema.load(many) Moderate
CVE-2025-68480 was published for marshmallow (pip) Dec 22, 2025
KEDA has Arbitrary File Read via Insufficient Path Validation in HashiCorp Vault Service Account Credential High
CVE-2025-68476 was published for github.com/kedacore/keda/v2 (Go) Dec 22, 2025
n8n Vulnerable to Remote Code Execution via Expression Injection Critical
CVE-2025-68613 was published for n8n (npm) Dec 22, 2025
fatihhcelik
Credited to fatihhcelik
Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification High
GHSA-83jg-m2pm-4jxj was published for cowrie (pip) Dec 20, 2025
filippolauria
Credited to filippolauria
External Control of File Name or Path in Langflow High
CVE-2025-68478 was published for langflow (pip) Dec 19, 2025
J1vvoo
Credited to J1vvoo
Langflow vulnerable to Server-Side Request Forgery High
CVE-2025-68477 was published for langflow (pip) Dec 19, 2025
im-soohyun
Credited to im-soohyun
Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature Low
GHSA-24v3-254g-jv85 was published for @tutao/tutanota-utils (npm) Dec 19, 2025
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization Moderate
CVE-2025-13467 was published for org.keycloak:keycloak-ldap-federation (Maven) Dec 19, 2025
FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO Moderate
CVE-2025-68481 was published for fastapi-users (pip) Dec 19, 2025
davidbors-snyk
Credited to davidbors-snyk
Orejime has executable code in HTML attributes Low
CVE-2025-68457 was published for orejime (npm) Dec 19, 2025
Rudloff felixgirault
Credited to Rudloff and felixgirault
pretix has Broken Access Control Allowing Cross-User File Access via UUID Low
CVE-2025-14881 was published for pretix (pip) Dec 19, 2025
pretix has Broken Access Control Allowing Cross-User File Access via UUID Low
CVE-2025-14882 was published for pretix (pip) Dec 19, 2025
Apache NiFi GetAsanaObject Processor has Remote Code Execution via Unsafe Deserialization High
CVE-2025-66524 was published for org.apache.nifi:nifi-asana-processors (Maven) Dec 19, 2025
FastAPI SSP is vulnerable to Cross-site Request Forgery (CSRF) through improper OAuth parameter validation Moderate
CVE-2025-14546 was published for fastapi-sso (pip) Dec 19, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database