Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,737
Maven
5,000+
npm
4,337
NuGet
765
pip
4,112
Pub
12
RubyGems
960
Rust
1,068
Swift
45
Unreviewed advisories
All unreviewed
5,000+

1,244 advisories

Loading
CNA Plugins Portmap nftables backend can intercept non-local traffic Moderate
CVE-2025-67499 was published for github.com/containernetworking/plugins (Go) Dec 9, 2025
agusdallalba champtar
Credited to agusdallalba and champtar
OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs Moderate
GHSA-mjcp-gpgx-ggcg was published for github.com/opentofu/opentofu (Go) Dec 9, 2025
Singluarity ineffectively applies selinux / apparmor LSM process labels Moderate
CVE-2025-64750 was published for github.com/sylabs/singularity/v4 (Go) Dec 2, 2025
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers Moderate
CVE-2025-66508 was published for github.com/1Panel-dev/1Panel (Go) Dec 8, 2025
Threonine
Credited to Threonine
memos vulnerability allows arbitrarily modification or deletion registered identity providers Moderate
CVE-2025-65797 was published for github.com/usememos/memos (Go) Dec 8, 2025
Traefik Inverted TLS Verification Logic in ingress-nginx Provider Moderate
CVE-2025-66491 was published for github.com/traefik/traefik/v3 (Go) Dec 8, 2025
pavelkohout396
Credited to pavelkohout396
Path Normalization Bypass in Traefik Router + Middleware Rules Moderate
CVE-2025-66490 was published for github.com/traefik/traefik (Go) Dec 8, 2025
ShadoooooW
Credited to ShadoooooW
memos lacks file name validation or verification Moderate
CVE-2025-65799 was published for github.com/usememos/memos (Go) Dec 8, 2025
memos vulnerability allows arbitrarily modification or deletion of attachments Moderate
CVE-2025-65798 was published for github.com/usememos/memos (Go) Dec 8, 2025
memos vulnerability allows arbitrarily reactions deletion Moderate
CVE-2025-65796 was published for github.com/usememos/memos (Go) Dec 8, 2025
Babylon Incorrect FP inactive accounting in costaking creates “phantom stake” that earns rewards after BTC unbond Moderate
GHSA-4rmq-mc2c-r495 was published for github.com/babylonlabs-io/babylon (Go) Dec 9, 2025
operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd Moderate
CVE-2025-7195 was published for github.com/operator-framework/operator-sdk (Go) Aug 7, 2025
Mattermost Server allows attackers to create buttons that can launch API requests Moderate
CVE-2017-18890 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to webhook and slash command manipulation Moderate
CVE-2017-18889 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server exposes team creator's e-mail address to other members Moderate
CVE-2017-18887 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider Moderate
CVE-2017-18883 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte Moderate
CVE-2025-66220 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao phlax
ggreenway yanavlasov agrawroh
Credited to botengyao, phlax, ggreenway, yanavlasov, and agrawroh
Envoy crashes when JWT authentication is configured with the remote JWKS fetching Moderate
CVE-2025-64527 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao phlax
agrawroh yanavlasov
Credited to botengyao, phlax, agrawroh, and yanavlasov
Mattermost Server is vulnerable to XSS through author_link field in Slack attachments Moderate
CVE-2017-18879 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server allows users with a session ID to revoke another users' session Moderate
CVE-2017-18878 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page Moderate
CVE-2017-18877 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to Path Traversal when files are stored locally Moderate
CVE-2017-18876 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server does not prevent System Admin from arbitrary file creation Moderate
CVE-2017-18875 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
step-ca Has Improper Authorization Check for SSH Certificate Revocation Moderate
CVE-2025-66406 was published for github.com/smallstep/certificates (Go) Dec 3, 2025
Mattermost Server exposes team invite IDs through API endpoints Moderate
CVE-2017-18902 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database