Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,788
Maven
5,000+
npm
4,394
NuGet
772
pip
4,166
Pub
12
RubyGems
965
Rust
1,073
Swift
45
Unreviewed advisories
All unreviewed
5,000+

25,211 advisories

Loading
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI Moderate
CVE-2025-68454 was published for craftcms/cms (Composer) Jan 5, 2026
RajChowdhury240 rlarabee
Credited to RajChowdhury240 and rlarabee
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation Moderate
CVE-2025-68437 was published for craftcms/cms (Composer) Jan 5, 2026
mHe4am
Credited to mHe4am
Craft CMS vulnerable to potential information disclosure via unchecked asset relocation Moderate
CVE-2025-68436 was published for craftcms/cms (Composer) Jan 5, 2026
z3rco
Credited to z3rco
jsPDF has Local File Inclusion/Path Traversal vulnerability Critical
CVE-2025-68428 was published for jspdf (npm) Jan 5, 2026
kilkat
Credited to kilkat
flagd: Multiple Go Runtime CVEs Impact Security and Availability High
GHSA-4c5f-9mj4-m247 was published for github.com/open-feature/flagd/core (Go) Jan 5, 2026
pramod-ahire
Credited to pramod-ahire
MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation High
CVE-2026-21452 was published for org.msgpack:msgpack-core (Maven) Jan 5, 2026
HyperPS
Credited to HyperPS
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover Moderate
CVE-2026-21483 was published for github.com/knadh/listmonk (Go) Jan 2, 2026
PlayerIUnknown
Credited to PlayerIUnknown
Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users High
CVE-2026-21449 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto has IDOR in Customer Order Reorder Functionality High
CVE-2026-21447 was published for bagisto/bagisto (Composer) Jan 2, 2026
DenizParlak
Credited to DenizParlak
Bagisto has Normal & Blind SSTI from low-privilege user when ordering product High
CVE-2026-21448 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto SSTI vulnerability in type parameter can lead to RCE High
CVE-2026-21450 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto has HTML Filter Bypass that Enables Stored XSS Moderate
CVE-2026-21451 was published for bagisto/bagisto (Composer) Jan 2, 2026
cybercrew-analyst
Credited to cybercrew-analyst
Bagisto Missing Authentication on Installer API Endpoints High
CVE-2026-21446 was published for bagisto/bagisto (Composer) Jan 2, 2026
mhzcyber
Credited to mhzcyber
Langflow Missing Authentication on Critical API Endpoints High
CVE-2026-21445 was published for langflow (pip) Jan 2, 2026
kj84park juh0ng
Credited to kj84park and juh0ng
AdonisJS Path Traversal in Multipart File Handling Critical
CVE-2026-21440 was published for @adonisjs/bodyparser (npm) Jan 2, 2026
wodzen
Credited to wodzen
Duplicate Advisory: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type Low
GHSA-p4f6-h8jj-vfvf was published for github.com/mccutchen/go-httpbin (Go) Jan 2, 2026 withdrawn
Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling Critical
CVE-2025-68620 was published for signalk-server (npm) Jan 2, 2026
atsc11
Credited to atsc11
Signal K Server Vulnerable to Access Request Spoofing Moderate
CVE-2025-69203 was published for signalk-server (npm) Jan 2, 2026
atsc11
Credited to atsc11
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package High
CVE-2025-68619 was published for signalk-server (npm) Jan 2, 2026
atsc11
Credited to atsc11
Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints Moderate
CVE-2025-68273 was published for signalk-server (npm) Jan 2, 2026
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding High
CVE-2025-68272 was published for signalk-server (npm) Jan 2, 2026
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) Critical
CVE-2025-66398 was published for signalk-server (npm) Jan 2, 2026
Apache StreamPipes has Improper Privilege Management issue Moderate
CVE-2025-47411 was published for org.apache.streampipes:streampipes-parent (Maven) Jan 1, 2026
Feast vulnerable to Deserialization of Untrusted Data High
CVE-2025-11157 was published for feast (pip) Jan 1, 2026
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists Moderate
CVE-2025-69413 was published for code.gitea.io/gitea (Go) Jan 1, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database