Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

191 advisories

Loading
File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL High
CVE-2026-25890 was published for github.com/filebrowser/filebrowser/v2 (Go) Feb 10, 2026
Fluxmux hacdias
Credited to Fluxmux and hacdias
OpenCloud Reva has a Public Link Exploit High
CVE-2026-23989 was published for github.com/opencloud-eu/reva/v2 (Go) Feb 5, 2026
rhafer aduffeck
dragotin micbar
Credited to rhafer, aduffeck, dragotin, and micbar
@fedify/fedify has Improper Authentication and Incorrect Authorization High
CVE-2025-54888 was published for @fedify/fedify (npm) Aug 8, 2025
allouis dahlia
Credited to allouis and dahlia
AutoGPT is Vulnerable to RCE via Disabled Block Execution High
CVE-2026-24780 was published for agpt (pip) Jan 29, 2026
rahulgovind
Credited to rahulgovind
Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC High
CVE-2025-26511 was published for com.instaclustr:cassandra-lucene-index-plugin (Maven) Feb 13, 2025
jfleming-ic
Credited to jfleming-ic
Fleet has an Access Control vulnerability in debug/pprof endpoints High
CVE-2026-23517 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 iansltx
Credited to prateek-0490 and iansltx
Grafana account takeover via OAuth vulnerability High
CVE-2022-31107 was published for github.com/grafana/grafana (Go) May 14, 2024
Incus creates nftables rules that partially bypass security options High
CVE-2025-52890 was published for github.com/lxc/incus/v6 (Go) Jun 26, 2025
obalpetre-anssi
Credited to obalpetre-anssi
Ghost has Staff Token permission bypass High
CVE-2026-22595 was published for ghost (npm) Jan 8, 2026
odgrso
Credited to odgrso
KEDA has Arbitrary File Read via Insufficient Path Validation in HashiCorp Vault Service Account Credential High
CVE-2025-68476 was published for github.com/kedacore/keda/v2 (Go) Dec 22, 2025
Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations High
CVE-2025-3586 was published for com.liferay:com.liferay.object.service (Maven) Dec 12, 2025
Strimzi allows unrestricted access to all Secrets in the same Kubernetes namespace from Kafka Connect and MirrorMaker 2 operands High
CVE-2025-66623 was published for io.strimzi:strimzi (Maven) Dec 5, 2025
scholzj ppatierno
im-konge
Credited to scholzj, ppatierno, and im-konge
trytond does not enforce access rights for the route of the HTML editor. High
CVE-2025-66423 was published for trytond (pip) Nov 30, 2025
OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization. High
CVE-2025-65073 was published for keystone (pip) Nov 17, 2025
Ignite Realtime Openfire privilege escalation vulnerability High
CVE-2024-25420 was published for org.igniterealtime.openfire:xmppserver (Maven) Mar 26, 2024
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields High
GHSA-m8jr-fxqx-8xx6 was published for @apollo/composition (npm) Nov 14, 2025
dariuszkuc
Credited to dariuszkuc
Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass) High
CVE-2025-59420 was published for authlib (pip) Sep 22, 2025
AL-Cybision
Credited to AL-Cybision
Drupal CivicTheme Design System allows Forceful Browsing High
CVE-2025-12082 was published for drupal/civictheme (Composer) Oct 30, 2025
MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS High
CVE-2025-62506 was published for github.com/minio/minio (Go) Oct 16, 2025
donatello SimeonPoot
Credited to donatello and SimeonPoot
Rancher update on users can deny the service to the admin High
CVE-2024-58260 was published for github.com/rancher/rancher (Go) Sep 26, 2025
OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method High
CVE-2025-59048 was published for github.com/openbao/openbao-plugins (Go) Oct 23, 2025
pkarakal
Credited to pkarakal
Magento has incorrect authorization issue that leads to arbitrary file system read High
CVE-2025-49556 was published for magento/community-edition (Composer) Aug 12, 2025
Magento provides incorrect authorization through a security feature bypass High
CVE-2025-54263 was published for magento/community-edition (Composer) Oct 14, 2025
Ash has authorization bypass when bypass policy condition evaluates to true High
CVE-2025-48044 was published for ash (Erlang) Oct 17, 2025
jechol maennchen
zachdaniel
Credited to jechol, maennchen, and zachdaniel
Mautic allows Improper Authorization in Reporting API High
CVE-2024-47053 was published for mautic/core (Composer) Feb 26, 2025
escopecz patrykgruszka
Credited to escopecz and patrykgruszka
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database