Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,722
Maven
5,000+
npm
4,329
NuGet
762
pip
4,105
Pub
12
RubyGems
958
Rust
1,065
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,920 advisories

Loading
robrichards/xmlseclibs has an Libxml2 Canonicalization error which can bypass Digest/Signature validation Moderate
CVE-2025-66578 was published for robrichards/xmlseclibs (Composer) Dec 8, 2025
d0ge
Credited to d0ge
Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values Critical
CVE-2025-66565 was published for github.com/gofiber/utils (Go) Dec 8, 2025
sixcolors
Credited to sixcolors
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers Moderate
CVE-2025-66508 was published for github.com/1Panel-dev/1Panel (Go) Dec 8, 2025
Threonine
Credited to Threonine
1Panel – CAPTCHA Bypass via Client-Controlled Flag High
CVE-2025-66507 was published for github.com/1Panel-dev/1Panel (Go) Dec 8, 2025
aliyevmursal
Credited to aliyevmursal
Traefik Inverted TLS Verification Logic in ingress-nginx Provider Moderate
CVE-2025-66491 was published for github.com/traefik/traefik/v3 (Go) Dec 8, 2025
pavelkohout396
Credited to pavelkohout396
Path Normalization Bypass in Traefik Router + Middleware Rules Moderate
CVE-2025-66490 was published for github.com/traefik/traefik (Go) Dec 8, 2025
ShadoooooW
Credited to ShadoooooW
Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765 Moderate
CVE-2025-66202 was published for astro (npm) Dec 8, 2025
zomaxsec
Credited to zomaxsec
Emby Server API Vulnerability allowing to gain administrative access without precondition Critical
CVE-2025-64113 was published for MediaBrowser.Server.Core (NuGet) Dec 8, 2025
tembybot
Credited to tembybot
Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands High
CVE-2025-66623 was published for io.strimzi:strimzi (Maven) Dec 5, 2025
scholzj ppatierno
im-konge
Credited to scholzj, ppatierno, and im-konge
nitro-tpm-pcr-compute may allow kernel command line modification by an account operator Moderate
GHSA-xrv8-2pf5-f3q7 was published for nitro-tpm-pcr-compute (Rust) Dec 5, 2025
agraf mariusknaust
Credited to agraf and mariusknaust
yawkat LZ4 Java has a possible information leak in Java safe decompressor High
CVE-2025-66566 was published for at.yawk.lz4:lz4-java (Maven) Dec 5, 2025
simonresch
Credited to simonresch
Sigstore Timestamp Authority allocates excessive memory during request parsing High
CVE-2025-66564 was published for github.com/sigstore/timestamp-authority (Go) Dec 5, 2025
Fulcio allocates excessive memory during token parsing High
CVE-2025-66506 was published for github.com/sigstore/fulcio (Go) Dec 5, 2025
adeinega
Credited to adeinega
urllib3 streaming API improperly handles highly compressed data High
CVE-2025-66471 was published for urllib3 (pip) Dec 5, 2025
illia-v pquentin
sethmlarson Cycloctane stamparm
Credited to illia-v, pquentin, sethmlarson, Cycloctane, and stamparm
urllib3 allows an unbounded number of links in the decompression chain High
CVE-2025-66418 was published for urllib3 (pip) Dec 5, 2025
illia-v sethmlarson
pquentin
Credited to illia-v, sethmlarson, and pquentin
Envoy's TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte Moderate
CVE-2025-66220 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao phlax
ggreenway yanavlasov agrawroh
Credited to botengyao, phlax, ggreenway, yanavlasov, and agrawroh
Envoy forwards early CONNECT data in TCP proxy mode Low
CVE-2025-64763 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao phlax
yanavlasov agrawroh
Credited to botengyao, phlax, yanavlasov, and agrawroh
Envoy crashes when JWT authentication is configured with the remote JWKS fetching Moderate
CVE-2025-64527 was published for github.com/envoyproxy/envoy (Go) Dec 5, 2025
botengyao phlax
agrawroh yanavlasov
Credited to botengyao, phlax, agrawroh, and yanavlasov
Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF' High
CVE-2025-65959 was published for open-webui (npm) Dec 4, 2025
pyozzi-toss L2VE
Credited to pyozzi-toss and L2VE
Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web High
CVE-2025-65958 was published for open-webui (pip) Dec 4, 2025
teolines
Credited to teolines
Logrus is vulnerable to DoS when using Entry.Writer() High
CVE-2025-65637 was published for github.com/sirupsen/logrus (Go) Dec 4, 2025
Apache Tika has XXE vulnerability Critical
CVE-2025-66516 was published for org.apache.tika:tika-core (Maven) Dec 4, 2025
ComposioHQ has a directory traversal vulnerability Moderate
CVE-2025-56427 was published for composio (pip) Dec 4, 2025
open-webui is Vulnerable to Incorrect Access Control Low
CVE-2025-63681 was published for open-webui (pip) Dec 4, 2025
libcrux incorrectly calculates on aarch64 High
GHSA-2cgv-28vr-rv6j was published for libcrux-intrinsics (Rust) Dec 4, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database