Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,791
Maven
5,000+
npm
4,399
NuGet
772
pip
4,175
Pub
12
RubyGems
965
Rust
1,074
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,399 advisories

Loading
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function High
CVE-2025-66648 was published for vega-functions (npm) Jan 5, 2026
nikolaybabiy hydrosquall
domoritz
Credited to nikolaybabiy, hydrosquall, and domoritz
Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope High
CVE-2025-65110 was published for vega-selections (npm) Jan 5, 2026
nickcopi hydrosquall
domoritz
Credited to nickcopi, hydrosquall, and domoritz
evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API Moderate
CVE-2025-67427 was published for @evershop/evershop (npm) Jan 5, 2026
evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API High
CVE-2025-67419 was published for @evershop/evershop (npm) Jan 5, 2026
ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds. Moderate
GHSA-hqf9-8xv5-x8xw was published for @openzeppelin/confidential-contracts (npm) Jan 5, 2026
jsPDF has Local File Inclusion/Path Traversal vulnerability Critical
CVE-2025-68428 was published for jspdf (npm) Jan 5, 2026
kilkat
Credited to kilkat
AdonisJS Path Traversal in Multipart File Handling Critical
CVE-2026-21440 was published for @adonisjs/bodyparser (npm) Jan 2, 2026
wodzen
Credited to wodzen
Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling Critical
CVE-2025-68620 was published for signalk-server (npm) Jan 2, 2026
atsc11
Credited to atsc11
Signal K Server Vulnerable to Access Request Spoofing Moderate
CVE-2025-69203 was published for signalk-server (npm) Jan 2, 2026
atsc11
Credited to atsc11
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package High
CVE-2025-68619 was published for signalk-server (npm) Jan 2, 2026
atsc11
Credited to atsc11
Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints Moderate
CVE-2025-68273 was published for signalk-server (npm) Jan 2, 2026
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding High
CVE-2025-68272 was published for signalk-server (npm) Jan 2, 2026
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) Critical
CVE-2025-66398 was published for signalk-server (npm) Jan 2, 2026
Trix has a stored XSS vulnerability through its attachment attribute Moderate
GHSA-g9jg-w8vm-g96v was published for action_text-trix (RubyGems) Dec 31, 2025
serverless MCP Server vulnerable to Command Injection in list-projects tool High
CVE-2025-69256 was published for serverless (npm) Dec 31, 2025
dellalibera
Credited to dellalibera
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion High
CVE-2025-15284 was published for qs (npm) Dec 30, 2025
samipmainali ljharb
Credited to samipmainali and ljharb
PsiTransfer has Zip Slip Path Traversal via TAR Archive Download High
GHSA-xphh-5v4r-r3rx was published for psitransfer (npm) Dec 30, 2025
DenizParlak
Credited to DenizParlak
axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header Moderate
CVE-2025-69202 was published for axios-cache-interceptor (npm) Dec 30, 2025
kishore03109 arthurfiorette
Credited to kishore03109 and arthurfiorette
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU) Moderate
CVE-2025-69211 was published for @nestjs/platform-fastify (npm) Dec 30, 2025
hemmelig allows SSRF Filter bypass via Secret Request functionality Moderate
CVE-2025-69206 was published for hemmelig (npm) Dec 29, 2025
Alakinnn
Credited to Alakinnn
apidoc-core has a prototype pollution vulnerability Critical
CVE-2025-13158 was published for apidoc-core (npm) Dec 26, 2025
Self-hosted n8n has Legacy Code node that enables arbitrary file read/write High
CVE-2025-68697 was published for n8n (npm) Dec 26, 2025
berkdedekarginoglu
Credited to berkdedekarginoglu
n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node Critical
CVE-2025-68668 was published for n8n (npm) Dec 26, 2025
berkdedekarginoglu VladimirEliTokarev
Ofekitach
Credited to berkdedekarginoglu, VladimirEliTokarev, and Ofekitach
n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox High
CVE-2025-61914 was published for n8n (npm) Dec 26, 2025
nlgbao1340
Credited to nlgbao1340
libxmljs has segmentation fault, potentially leading to a denial-of-service (DoS) High
CVE-2025-25341 was published for libxmljs (npm) Dec 26, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database