Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,781
Maven
5,000+
npm
4,386
NuGet
772
pip
4,164
Pub
12
RubyGems
965
Rust
1,073
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,007 advisories

Loading
Gitea allows attackers to add attachments with forbidden file extensions High
CVE-2025-68939 was published for code.gitea.io/gitea (Go) Dec 26, 2025
KEDA has Arbitrary File Read via Insufficient Path Validation in HashiCorp Vault Service Account Credential High
CVE-2025-68476 was published for github.com/kedacore/keda/v2 (Go) Dec 22, 2025
Elasticsearch Packetbeat has Excessive Allocation of Memory and CPU via Malicious IPv4 Fragments High
CVE-2025-68388 was published for github.com/elastic/beats (Go) Dec 19, 2025
Expr has Denial of Service via Unbounded Recursion in Builtin Functions High
CVE-2025-68156 was published for github.com/expr-lang/expr (Go) Dec 16, 2025
thevilledev
Credited to thevilledev
SIPGO is Vulnerable to Response DoS via Nil Pointer Dereference High
CVE-2025-68274 was published for github.com/emiago/sipgo (Go) Dec 16, 2025
sandrogauci
Credited to sandrogauci
Libredesk has Improper Neutralization of HTML Tags in a Web Page High
CVE-2025-68927 was published for github.com/abhinavxd/libredesk (Go) Dec 16, 2025
PlayerIUnknown
Credited to PlayerIUnknown
Misconfigured Internal Proxy in runtimes-inventory-rhel8-operator Grants Standard Users Full Cluster Administrator Access High
CVE-2025-11393 was published for github.com/RedHatInsights/runtimes-inventory-operator (Go) Dec 15, 2025
Finality Provider vulnerable to anti-slashing bypassing due to misconfiguration High
GHSA-4jmp-x7mh-rgmr was published for github.com/babylonlabs-io/finality-provider (Go) Dec 12, 2025
NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM) High
CVE-2025-66001 was published for github.com/neuvector/neuvector (Go) Dec 12, 2025
Weaviate OSS has path traversal vulnerability via the Shard Movement API High
CVE-2025-67819 was published for github.com/weaviate/weaviate (Go) Dec 12, 2025
Weaviate OSS has a Path Traversal Vulnerability via Backup ZipSlip High
CVE-2025-67818 was published for github.com/weaviate/weaviate (Go) Dec 12, 2025
gardenctl is vulnerable to Command Injection when used with non‑POSIX shells High
CVE-2025-67508 was published for github.com/gardener/gardenctl-v2 (Go) Dec 11, 2025
petersutter donistz
JordanJordanov HeckEK
Credited to petersutter, donistz, JordanJordanov, and HeckEK
1Panel contains a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality High
CVE-2025-34429 was published for github.com/1Panel-dev/1Panel (Go) Dec 10, 2025
1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality High
CVE-2025-34410 was published for github.com/1Panel-dev/1Panel (Go) Dec 10, 2025
Gogs vulnerable to a bypass of CVE-2024-55947 High
CVE-2025-8110 was published for gogs.io/gogs (Go) Dec 10, 2025
SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin High
GHSA-4r66-7rcv-x46x was published for github.com/siyuan-note/siyuan/kernel (Go) Dec 9, 2025
sebastianosrt
Credited to sebastianosrt
SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE High
CVE-2025-67488 was published for github.com/siyuan-note/siyuan/kernel (Go) Dec 9, 2025
MrRauL124
Credited to MrRauL124
RCE via ZipSlip and symbolic links in argoproj/argo-workflows High
CVE-2025-66626 was published for github.com/argoproj/argo-workflows (Go) Dec 9, 2025
cristianstaicu meenakshisl
Credited to cristianstaicu and meenakshisl
Babylon Nil BlockHash in BLS vote extensions triggers panics in consensus handlers High
GHSA-m6wq-66p2-c8pc was published for github.com/babylonlabs-io/babylon (Go) Dec 8, 2025
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login High
CVE-2025-67495 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
amit-laish peintnermax
livio-a
Credited to amit-laish, peintnermax, and livio-a
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login High
GHSA-pfrf-9r5f-73f5 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
amit-laish peintnermax
livio-a
Credited to amit-laish, peintnermax, and livio-a
memos vulnerability allows the creation of arbitrary accounts High
CVE-2025-65795 was published for github.com/usememos/memos (Go) Dec 8, 2025
1Panel – CAPTCHA Bypass via Client-Controlled Flag High
CVE-2025-66507 was published for github.com/1Panel-dev/1Panel (Go) Dec 8, 2025
aliyevmursal
Credited to aliyevmursal
Sigstore Timestamp Authority allocates excessive memory during request parsing High
CVE-2025-66564 was published for github.com/sigstore/timestamp-authority (Go) Dec 5, 2025
Fulcio allocates excessive memory during token parsing High
CVE-2025-66506 was published for github.com/sigstore/fulcio (Go) Dec 5, 2025
adeinega
Credited to adeinega
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database