Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,744
Maven
5,000+
npm
4,341
NuGet
765
pip
4,113
Pub
12
RubyGems
960
Rust
1,069
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,379 advisories

Loading
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs Moderate
CVE-2025-62374 was published for parse (npm) Oct 14, 2025
Moumouls mtrezza
Credited to Moumouls and mtrezza
AWS CDK CLI prints AWS credentials retrieved by custom credential plugins Moderate
CVE-2025-2598 was published for aws-cdk (npm) Mar 21, 2025
QGIS QWC2 Cross-Site Scripting vulnerability Moderate
CVE-2025-11183 was published for qwc2 (npm) Oct 13, 2025
Flowise Stored XSS vulnerability through logs in chatbot Moderate
CVE-2025-29192 was published for flowise (npm) Oct 3, 2025
LIFE-team2024
Credited to LIFE-team2024
Flowise vulnerable to XSS Moderate
GHSA-4fr9-3x69-36wv was published for flowise (npm) Oct 3, 2025
quitbug
Credited to quitbug
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure Moderate
CVE-2025-61685 was published for @mastra/mcp-docs-server (npm) Sep 24, 2025
lirantal
Credited to lirantal
Astro's `X-Forwarded-Host` is reflected without validation Moderate
CVE-2025-61925 was published for astro (npm) Oct 10, 2025
Chisnet
Credited to Chisnet
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function Moderate
CVE-2025-11287 was published for @samanhappy/mcphub (npm) Oct 5, 2025
Withdrawn Advisory: Bootstrap Cross-Site Scripting (XSS) vulnerability Moderate
CVE-2024-6531 was published for bootstrap (RubyGems) Jul 11, 2024 withdrawn
alexeyNeklesa-idt metametadata
eoftedal
Credited to alexeyNeklesa-idt, metametadata, and eoftedal
Withdrawn Advisory: Incorrect Authorization in cross-fetch Moderate
CVE-2022-1365 was published for cross-fetch (npm) Apr 17, 2022 withdrawn
cysp AndrewMohawk
Credited to cysp and AndrewMohawk
Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function Moderate
CVE-2025-32379 was published for koa (npm) Apr 9, 2025
Denial of Service in node-static Moderate
GHSA-8r4g-cg4m-x23c was published for node-static (npm) Sep 22, 2021
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser Moderate
CVE-2025-30360 was published for webpack-dev-server (npm) Jun 4, 2025
sapphi-red
Credited to sapphi-red
webpack-dev-server users' source code may be stolen when they access a malicious web site Moderate
CVE-2025-30359 was published for webpack-dev-server (npm) Jun 4, 2025
sapphi-red
Credited to sapphi-red
algoliasearch-helper is vulnerable to Prototype Pollution in _merge() Moderate
CVE-2025-3193 was published for algoliasearch-helper (npm) Sep 27, 2025
Regular Expression Denial of Service (ReDoS) in lodash Moderate
CVE-2020-28500 was published for lodash (RubyGems) Jan 6, 2022
mitchell-codecov nitaiapiiro
DmitriyLewen jkmartindale G-Rath levpachmanov
Credited to mitchell-codecov, nitaiapiiro, DmitriyLewen, jkmartindale, G-Rath, and levpachmanov
Regular Expression Denial of Service (ReDoS) in lodash Moderate
CVE-2019-1010266 was published for lodash (RubyGems) Jul 19, 2019
mitchell-codecov G-Rath
levpachmanov
Credited to mitchell-codecov, G-Rath, and levpachmanov
blamer vulnerable to Arbitrary Argument Injection via the blameByFile() API Moderate
CVE-2023-26143 was published for blamer (npm) Sep 19, 2023
lirantal
Credited to lirantal
Directory Traversal in Next.js Moderate
CVE-2020-5284 was published for next (npm) Mar 30, 2020
counterpart vulnerable to prototype pollution Moderate
CVE-2025-57354 was published for counterpart (npm) Sep 24, 2025
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages Moderate
CVE-2025-59417 was published for @lobehub/chat (npm) Sep 18, 2025
jackfromeast Suuuuuzy
Credited to jackfromeast and Suuuuuzy
lobe-chat has an Open Redirect Moderate
CVE-2025-59426 was published for @lobehub/chat (npm) Sep 24, 2025
im-soohyun
Credited to im-soohyun
express-xss-sanitizer has an unbounded recursion depth Moderate
CVE-2025-59364 was published for express-xss-sanitizer (npm) Sep 26, 2025
Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth Moderate
GHSA-qhwp-454g-2gv4 was published for express-xss-sanitizer (npm) Sep 15, 2025 withdrawn
cai0duque AhmedAdelFahim
Credited to cai0duque and AhmedAdelFahim
json-schema-editor-visual vulnerable to prototype pollution Moderate
CVE-2025-57320 was published for json-schema-editor-visual (npm) Sep 24, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database