Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,767
Maven
5,000+
npm
4,374
NuGet
770
pip
4,148
Pub
12
RubyGems
963
Rust
1,070
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,374 advisories

Loading
LangChain serialization injection vulnerability enables secret extraction High
CVE-2025-68665 was published for @langchain/core (npm) Dec 23, 2025
ccurme mdrxy
0xn3va yardenporat353 VladimirEliTokarev hntrl siewer jacoblee93
Credited to ccurme, mdrxy, 0xn3va, yardenporat353, VladimirEliTokarev, hntrl, siewer, and jacoblee93
Fedify has ReDoS Vulnerability in HTML Parsing Regex High
CVE-2025-68475 was published for @fedify/fedify (npm) Dec 22, 2025
yueyueL
Credited to yueyueL
n8n Vulnerable to Remote Code Execution via Expression Injection Critical
CVE-2025-68613 was published for n8n (npm) Dec 22, 2025
fatihhcelik
Credited to fatihhcelik
Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature Low
GHSA-24v3-254g-jv85 was published for @tutao/tutanota-utils (npm) Dec 19, 2025
Orejime has executable code in HTML attributes Low
CVE-2025-68457 was published for orejime (npm) Dec 19, 2025
Rudloff felixgirault
Credited to Rudloff and felixgirault
Storybook manager bundle may expose environment variables during build High
CVE-2025-68429 was published for storybook (npm) Dec 18, 2025
tinacms is vulnerable to arbitrary code execution High
CVE-2025-68278 was published for @tinacms/cli (npm) Dec 18, 2025
cristianstaicu
Credited to cristianstaicu
Nodemailer is vulnerable to DoS through Uncontrolled Recursion Moderate
CVE-2025-14874 was published for nodemailer (npm) Dec 18, 2025
Mattermost Desktop App exposes sensitive information in its application logs Low
CVE-2025-13321 was published for mattermost-desktop (npm) Dec 17, 2025
systeminformation has a Command Injection vulnerability in fsSize() function on Windows High
CVE-2025-68154 was published for systeminformation (npm) Dec 16, 2025
yueyueL
Credited to yueyueL
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter High
CVE-2025-68150 was published for parse-server (npm) Dec 16, 2025
yueyueL mtrezza
Credited to yueyueL and mtrezza
@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint High
CVE-2025-68155 was published for @vitejs/plugin-rsc (npm) Dec 16, 2025
yueyueL
Credited to yueyueL
Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits High
GHSA-x732-6j76-qmhm was published for better-auth (npm) Dec 16, 2025
goksan
Credited to goksan
tRPC has possible prototype pollution in `experimental_nextAppDirCaller` High
CVE-2025-68130 was published for @trpc/server (npm) Dec 16, 2025
Pr00fOf3xpl0it
Credited to Pr00fOf3xpl0it
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables Moderate
CVE-2025-68115 was published for parse-server (npm) Dec 16, 2025
yueyueL mtrezza
Credited to yueyueL and mtrezza
ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay Moderate
CVE-2025-68113 was published for altcha (RubyGems) Dec 16, 2025
eternal-flame-AD
Credited to eternal-flame-AD
Withdrawn Advisory: LikeC4 has RCE through vulnerable React and Next.js versions Critical
GHSA-vr6p-vq2p-6j74 was published for likec4 (npm) Dec 15, 2025 withdrawn
fnuttens davydkov
Credited to fnuttens and davydkov
Misskey has a login rate limit bypass via spoofed X-Forwarded-For header Moderate
CVE-2025-66482 was published for misskey-js (npm) Dec 15, 2025
BoBeR182 saschanaz
Credited to BoBeR182 and saschanaz
misskey.js's export data contains private post data High
CVE-2025-66402 was published for misskey-js (npm) Dec 15, 2025
na2204 samunohito
Credited to na2204 and samunohito
MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827 Moderate
CVE-2025-67898 was published for mjml (npm) Dec 15, 2025
Vuetify has a Cross-site Scripting (XSS) vulnerability in the VDatePicker component Moderate
CVE-2025-8082 was published for vuetify (npm) Dec 12, 2025
Vuetify has a Prototype Pollution vulnerability High
CVE-2025-8083 was published for vuetify (npm) Dec 12, 2025
Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule High
CVE-2025-67750 was published for lightning-flow-scanner (npm) Dec 12, 2025
RubenHalman
Credited to RubenHalman
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up High
GHSA-5j59-xgg2-r9c4 was published for next (npm) Dec 12, 2025
Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components Moderate
GHSA-c6m7-q6pr-c64r was published for @vitejs/plugin-rsc (npm) Dec 12, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database