GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
                  
                    
                      
                      All reviewed
                    
                    
                      5,000+
                    
                  
                  
                    
                      
                      Composer
                    
                    
                      4,963
                    
                  
                  
                    
                      
                      Erlang
                    
                    
                      39
                    
                  
                  
                    
                      
                      GitHub Actions
                    
                    
                      38
                    
                  
                  
                    
                      
                      Go
                    
                    
                      2,615
                    
                  
                  
                    
                      
                      Maven
                    
                    
                      5,000+
                    
                  
                  
                    
                      
                      npm
                    
                    
                      4,255
                    
                  
                  
                    
                      
                      NuGet
                    
                    
                      760
                    
                  
                  
                    
                      
                      pip
                    
                    
                      4,036
                    
                  
                  
                    
                      
                      Pub
                    
                    
                      12
                    
                  
                  
                    
                      
                      RubyGems
                    
                    
                      953
                    
                  
                  
                    
                      
                      Rust
                    
                    
                      1,049
                    
                  
                  
                    
                      
                      Swift
                    
                    
                      45
                    
                  
                  Unreviewed advisories
                  
                    
                      
                      All unreviewed
                    
                    
                      5,000+
                    
                  
            24,497 advisories
        Filter by severity
        
      
      
    
                    
                      Agno session state overwrites between different sessions/users
                    
                      
  High
                    
                
                      
                        CVE-2025-64168
                      
                      was published
                        for
                        
                          agno
                        
                        (pip)
                      Oct 31, 2025 
                    
                  
                    
                      Liferay Portal Vulnerable to Reflected XSS via the selectedLanguageId Parameter
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-62264
                      
                      was published
                        for
                        
                          com.liferay.portal:release.portal.bom
                        
                        (Maven)
                      Oct 31, 2025 
                    
                  
                    
                      Ansible does not collect garbage after playbook run
                    
                      
  Moderate
                    
                
                      
                        CVE-2020-25635
                      
                      was published
                        for
                        
                          ansible
                        
                        (pip)
                      Oct 31, 2025 
                    
                  
                    
                      cryptidy allows code execution via untrusted data due to pickle.loads 
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-63675
                      
                      was published
                        for
                        
                          cryptidy
                        
                        (pip)
                      Oct 31, 2025 
                    
                  
                    
                      Brotli is vulnerable to a denial of service (DoS) attack due to decompression
                    
                      
  High
                    
                
                      
                        CVE-2025-6176
                      
                      was published
                        for
                        
                          brotli
                        
                        (pip)
                      Oct 31, 2025 
                    
                  
                    
                      Liferay Portal is vulnerable to XSS in the Blogs widget
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-62265
                      
                      was published
                        for
                        
                          com.liferay.portal:release.portal.bom
                        
                        (Maven)
                      Oct 30, 2025 
                    
                  
                    
                      sqls-server/sqls is vulnerable to command injection in the config command 
                    
                      
  High
                    
                
                      
                        CVE-2025-61141
                      
                      was published
                        for
                        
                          github.com/sqls-server/sqls
                        
                        (Go)
                      Oct 30, 2025 
                    
                  
                    
                      Liferay Portal is vulnerable to DNS rebinding attacks
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-62266
                      
                      was published
                        for
                        
                          com.liferay.portal:release.portal.bom
                        
                        (Maven)
                      Oct 30, 2025 
                    
                  
                    
                      Keras keras.utils.get_file API is vulnerable to a path traversal attack
                    
                      
  High
                    
                
                      
                        CVE-2025-12060
                      
                      was published
                        for
                        
                          keras
                        
                        (pip)
                      Oct 30, 2025 
                    
                  
                    
                      Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation
                    
                      
  High
                    
                
                      
                        CVE-2025-64112
                      
                      was published
                        for
                        
                          statamic/cms
                        
                        (Composer)
                      Oct 30, 2025 
                    
                  
                    
                      node-tar has a race condition leading to uninitialized memory exposure
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-64118
                      
                      was published
                        for
                        
                          tar
                        
                        (npm)
                      Oct 30, 2025 
                    
                  
                    
                      gnark-crypto allows unchecked memory allocation during vector deserialization
                    
                      
  High
                    
                
                      
                        GHSA-fj2x-735w-74vq
                      
                      was published
                        for
                        
                          github.com/consensys/gnark-crypto
                        
                        (Go)
                      Oct 30, 2025 
                    
                  
                    
                      Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode
                    
                      
  Low
                    
                
                      
                        GHSA-cf57-c578-7jvv
                      
                      was published
                        for
                        
                          github.com/TecharoHQ/anubis
                        
                        (Go)
                      Oct 30, 2025 
                    
                  
                    
                      n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook
                    
                      
  High
                    
                
                      
                        CVE-2025-62726
                      
                      was published
                        for
                        
                          n8n
                        
                        (npm)
                      Oct 30, 2025 
                    
                  
                    
                      Byaidu PDFMathTranslate vulnerable to open redirect
                    
                      
  Low
                    
                
                      
                        CVE-2025-50736
                      
                      was published
                        for
                        
                          pdf2zh
                        
                        (pip)
                      Oct 30, 2025 
                    
                  
                    
                      Apache Airflow has a command injection vulnerability in "example_dag_decorator"
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-54941
                      
                      was published
                        for
                        
                          apache-airflow
                        
                        (pip)
                      Oct 30, 2025 
                    
                  
                    
                      Apache Airflow `/api/v2/dagReports` executes DAG Python in API
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-62402
                      
                      was published
                        for
                        
                          apache-airflow
                        
                        (pip)
                      Oct 30, 2025 
                    
                  
                    
                      Apache Airflow's create action can upsert existing Pools/Connections/Variables
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-62503
                      
                      was published
                        for
                        
                          apache-airflow
                        
                        (pip)
                      Oct 30, 2025 
                    
                  
                    
                      Liferay Portal vulnerable to password enumeration
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-62257
                      
                      was published
                        for
                        
                          com.liferay.portal:release.portal.bom
                        
                        (Maven)
                      Oct 30, 2025 
                    
                  
                    
                      Drupal Acquia DAM allows Forceful Browsing
                    
                      
  High
                    
                
                      
                        CVE-2025-9954
                      
                      was published
                        for
                        
                          drupal/acquia_dam
                        
                        (Composer)
                      Oct 30, 2025 
                    
                  
                    
                      Drupal CivicTheme Design System allows Cross-Site Scripting (XSS)
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-12083
                      
                      was published
                        for
                        
                          drupal/civictheme
                        
                        (Composer)
                      Oct 30, 2025 
                    
                  
                    
                      Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass
                    
                      
  High
                    
                
                      
                        CVE-2025-12466
                      
                      was published
                        for
                        
                          drupal/simple_oauth
                        
                        (Composer)
                      Oct 30, 2025 
                    
                  
                    
                      Drupal Plausible tracking is vulnerable to XSS
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-10927
                      
                      was published
                        for
                        
                          drupal/plausible_tracking
                        
                        (Composer)
                      Oct 30, 2025 
                    
                  
                    
                      Drupal JSON Field is vulnerable to XSS
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-10926
                      
                      was published
                        for
                        
                          drupal/json_field
                        
                        (Composer)
                      Oct 30, 2025 
                    
                  
                    
                      Drupal Access code allows Brute Force Attempts
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-10928
                      
                      was published
                        for
                        
                          drupal/access_code
                        
                        (Composer)
                      Oct 30, 2025 
                    
                  
        
        ProTip!
        Advisories are also available from the 
        GraphQL API