Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,766
Maven
5,000+
npm
4,371
NuGet
767
pip
4,144
Pub
12
RubyGems
962
Rust
1,070
Swift
45
Unreviewed advisories
All unreviewed
5,000+

11,155 advisories

Loading
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization Moderate
CVE-2025-13467 was published for org.keycloak:keycloak-ldap-federation (Maven) Dec 19, 2025
FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO Moderate
CVE-2025-68481 was published for fastapi-users (pip) Dec 19, 2025
davidbors-snyk
Credited to davidbors-snyk
FastAPI SSP is vulnerable to Cross-site Request Forgery (CSRF) through improper OAuth parameter validation Moderate
CVE-2025-14546 was published for fastapi-sso (pip) Dec 19, 2025
Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data Moderate
CVE-2025-68384 was published for org.elasticsearch.plugin:x-pack-security (Maven) Dec 19, 2025
Filebeat Beats has Buffer Overflow via Malformed Syslog Message or Malicious Tokenizer Pattern in Dissect Configuration Moderate
CVE-2025-68383 was published for github.com/elastic/beats (Go) Dec 19, 2025
Elasticsearch privileged authenticated users can cause DoS through Excessive Resource Allocation Moderate
CVE-2025-68390 was published for org.elasticsearch.plugin:x-pack-core (Maven) Dec 19, 2025
Apache Log4j does not verify the TLS hostname in its Socket Appender Moderate
CVE-2025-68161 was published for org.apache.logging.log4j:log4j-core (Maven) Dec 18, 2025
ppkarwasz
Credited to ppkarwasz
AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue Moderate
CVE-2025-14761 was published for aws/aws-sdk-php (Composer) Dec 18, 2025
AWS SDK for Ruby's S3 Encryption Client has a Key Commitment Issue Moderate
CVE-2025-14762 was published for aws-sdk-s3 (RubyGems) Dec 18, 2025
Amazon S3 Encryption Client has a Key Commitment Issue Moderate
CVE-2025-14764 was published for github.com/aws/amazon-s3-encryption-client-go/v3 (Go) Dec 18, 2025
Amazon S3 Encryption Client for Java has a Key Commitment Issue Moderate
CVE-2025-14763 was published for software.amazon.encryption.s3:amazon-s3-encryption-client-java (Maven) Dec 18, 2025
Amazon S3 Encryption Client for .NET has a Key Commitment Issue Moderate
CVE-2025-14759 was published for Amazon.Extensions.S3.Encryption (NuGet) Dec 18, 2025
Nodemailer is vulnerable to DoS through Uncontrolled Recursion Moderate
CVE-2025-14874 was published for nodemailer (npm) Dec 18, 2025
Biopython is vulnerable to doctype XML external entity (XXE) injection through Bio.Entrez Moderate
CVE-2025-68463 was published for biopython (pip) Dec 18, 2025
mcp-server-git has missing path validation when using --repository flag Moderate
CVE-2025-68145 was published for mcp-server-git (pip) Dec 17, 2025
mcp-server-git argument injection in git_diff and git_checkout functions allows overwriting local files Moderate
CVE-2025-68144 was published for mcp-server-git (pip) Dec 17, 2025
Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation Moderate
CVE-2025-13324 was published for github.com/mattermost/mattermost (Go) Dec 17, 2025
Mattermost fails to check Websocket request for proper UTF-8 format potentially crashing Calls plug-in Moderate
CVE-2025-12689 was published for github.com/mattermost/mattermost-plugin-calls (Go) Dec 17, 2025
Auth0 WordPress has Improper Audience Validation via Auth0-PHP SDK Dependency Moderate
GHSA-vvg7-8rmq-92g7 was published for auth0/wordpress (Composer) Dec 17, 2025
Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK Moderate
GHSA-f3r2-88mq-9v4g was published for auth0/symfony (Composer) Dec 17, 2025
Auth0 Laravel SDK has Improper Audience Validation via Auth0-PHP SDK dependency Moderate
GHSA-7hh9-gp72-wh7h was published for auth0/login (Composer) Dec 17, 2025
Auth0-PHP SDK has Improper Audience Validation Moderate
CVE-2025-68129 was published for auth0/auth0-php (Composer) Dec 17, 2025
mcp-server-git's unrestricted git_init tool allows repository creation at arbitrary filesystem locations Moderate
CVE-2025-68143 was published for mcp-server-git (pip) Dec 17, 2025
Duplicate Advisory: python-jose denial of service via compressed JWE content Moderate
CVE-2024-29370 was published for python-jose (pip) Dec 17, 2025 withdrawn
Mattermost has CSRF vulnerability via Calls Widget page Moderate
CVE-2025-62190 was published for github.com/mattermost/mattermost-plugin-calls (Go) Dec 17, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database