GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,933
Erlang
39
GitHub Actions
38
Go
2,595
Maven
5,000+
npm
4,247
NuGet
754
pip
4,013
Pub
12
RubyGems
953
Rust
1,048
Swift
45
Unreviewed advisories
All unreviewed
5,000+
24,360 advisories
Filter by severity
uv has differential in tar extraction with PAX headers
Low
GHSA-w476-p2h3-79g9
was published
for
uv
(pip)
Oct 21, 2025
Liferay Portal fails to verify messages from the cluster network is trusted
Moderate
CVE-2025-62250
was published
for
com.liferay:com.liferay.portal.cluster.multiple
(Maven)
Oct 21, 2025
ProcessWire CMS vulnerable to resource-exhaustion Denial of Service
Moderate
CVE-2025-60790
was published
for
processwire/processwire
(Composer)
Oct 21, 2025
Cosmos EVM Vulnerability
Critical
GHSA-8pfh-j44r-f654
was published
for
github.com/cosmos/evm
(Go)
Oct 21, 2025
Shopware Customer Orders can be canceled, even if refunds are disabled
Moderate
GHSA-r2vg-hvjm-fg38
was published
for
shopware/core
(Composer)
Oct 21, 2025
Shopware exposes sensitive user information via CSV export mapping
Moderate
GHSA-27c9-vp3w-6ww8
was published
for
shopware/core
(Composer)
Oct 21, 2025
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
Low
GHSA-3cpp-fv95-mpr5
was published
for
shopware/core
(Composer)
Oct 21, 2025
Shopware vulnerable to path traversal via Plugin upload
Low
GHSA-6wh5-mw9h-5c3w
was published
for
shopware/core
(Composer)
Oct 21, 2025
Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
Moderate
GHSA-m895-2hj3-8cg9
was published
for
shopware/core
(Composer)
Oct 21, 2025
astral-tokio-tar Vulnerable to PAX Header Desynchronization
High
CVE-2025-62518
was published
for
astral-tokio-tar
(Rust)
Oct 21, 2025
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
Moderate
CVE-2025-62595
was published
for
koa
(npm)
Oct 21, 2025
Taguette vulnerable to cross-site scripting via tag name, tag description, document name and document description
Moderate
CVE-2025-62528
was published
for
taguette
(pip)
Oct 20, 2025
Taguette password reset link poisoning
High
CVE-2025-62527
was published
for
taguette
(pip)
Oct 20, 2025
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
Moderate
GHSA-vffh-c9pq-4crh
was published
for
uptime-kuma
(npm)
Oct 20, 2025
vite allows server.fs.deny bypass via backslash on Windows
Moderate
CVE-2025-62522
was published
for
vite
(npm)
Oct 20, 2025
NetBird VPN does not remove the default password of an admin account
Critical
CVE-2025-10678
was published
for
github.com/netbirdio/netbird
(Go)
Oct 20, 2025
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
Moderate
GHSA-xvp7-8vm8-xfxx
was published
for
@actual-app/sync-server
(npm)
Oct 20, 2025
rollbar vulnerable to prototype pollution
Low
CVE-2025-57325
was published
for
rollbar
(npm)
Oct 20, 2025
Citizen vulnerable to stored XSS in sticky header button messages
Moderate
CVE-2025-62508
was published
for
starcitizentools/citizen-skin
(Composer)
Oct 20, 2025
Apache Syncope allows malicious administrators to inject Groovy code
High
CVE-2025-57738
was published
for
org.apache.syncope.core:syncope-core-spring
(Maven)
Oct 20, 2025
TastyIgniter vulnerable to Cross-Site Scripting
Low
CVE-2025-61417
was published
for
tastyigniter/tastyigniter
(Composer)
Oct 20, 2025
Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system
High
CVE-2025-47410
was published
for
org.apache.geode:geode-web
(Maven)
Oct 18, 2025
Cargo Mediawiki Extension vulnerable to Cross-site Scripting
Moderate
CVE-2025-62671
was published
for
mediawiki/cargo
(Composer)
Oct 18, 2025
MCMS vulnerable SQL injection via the content_title parameter
Critical
CVE-2025-56316
was published
for
net.mingsoft:ms-mcms
(Maven)
Oct 17, 2025
Duplicate Advisory: FlowiseAI Pre-Auth Arbitrary Code Execution
Critical
GHSA-3g4j-r53p-22wx
was published
for
flowise
(npm)
Oct 17, 2025
•
withdrawn
ProTip!
Advisories are also available from the
GraphQL API