Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,386
Erlang
33
GitHub Actions
22
Go
2,141
Maven
5,000+
npm
3,803
NuGet
687
pip
3,480
Pub
12
RubyGems
897
Rust
898
Swift
38
Unreviewed advisories
All unreviewed
5,000+

2,141 advisories

Loading
Navidrome allows an authentication bypass in Subsonic API with non-existent username Moderate
CVE-2025-27112 was published for github.com/navidrome/navidrome (Go) Feb 25, 2025
daniele-athome
DoS in go-jose Parsing Moderate
CVE-2025-27144 was published for github.com/go-jose/go-jose/v4 (Go) Feb 24, 2025
Mattermost allows reading arbitrary files related to importing boards Critical
CVE-2025-25279 was published for github.com/mattermost/mattermost/server/v8 (Go) Feb 24, 2025
Mattermost fails to restrict channel export of archived channels Moderate
CVE-2025-24526 was published for github.com/mattermost/mattermost/server/v8 (Go) Feb 24, 2025
Mattermost allows reading arbitrary files Critical
CVE-2025-20051 was published for github.com/mattermost/mattermost/server/v8 (Go) Feb 24, 2025
Mattermost fails to invalidate all active sessions when converting a user to a bot Low
CVE-2025-1412 was published for github.com/mattermost/mattermost/server/v8 (Go) Feb 24, 2025
lakeFS allows an authenticated user to cause a crash by exhausting server memory Moderate
CVE-2025-27100 was published for github.com/treeverse/lakefs (Go) Feb 21, 2025
arielshaqed ItamarYuran
S3-Proxy allows Reflected Cross-site Scripting (XSS) in template implementation High
CVE-2025-27088 was published for github.com/oxyno-zeta/s3-proxy/cmd/s3-proxy (Go) Feb 20, 2025
ddvleeuwen oxyno-zeta
Cosmos SDK: Groups module can halt chain when handling a malicious proposal High
GHSA-x5vx-95h7-rv4p was published for github.com/cosmos/cosmos-sdk (Go) Feb 20, 2025
dongsam
Hermes improperly validates a JWT High
CVE-2025-1293 was published for github.com/hashicorp-forge/hermes (Go) Feb 20, 2025
SSRF in sliver teamserver Moderate
CVE-2025-27090 was published for github.com/bishopfox/sliver (Go) Feb 19, 2025
chebuya
OpenFGA Authorization Bypass Moderate
CVE-2025-25196 was published for github.com/openfga/openfga (Go) Feb 19, 2025
Authelia applies regulation separately to Username-based logins to Email-based logins Low
CVE-2025-24806 was published for github.com/authelia/authelia/v4 (Go) Feb 19, 2025
tsschaffert Ahrdie
caesarakalaeii
`gh attestation verify` returns incorrect exit code during verification if no attestations are present Moderate
CVE-2025-25204 was published for github.com/cli/cli/v2 (Go) Feb 14, 2025
codysoyland phillmv
kommendorkapten jkylekelly
Node Denial of Service via kubelet Checkpoint API Moderate
CVE-2025-0426 was published for k8s.io/kubernetes (Go) Feb 13, 2025
MaysWind ezBookkeeping has Improper Privilege Management Critical
CVE-2024-57604 was published for github.com/mayswind/ezbookkeeping (Go) Feb 13, 2025
Missing rate limit in MaysWind ezBookkeeping Moderate
CVE-2024-57603 was published for github.com/mayswind/ezbookkeeping (Go) Feb 13, 2025
Potential Denial-of-Service condition leading to temporary disability in IBC transfers to the native chain Moderate
GHSA-6fgm-x6ff-w78f was published for github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v7 (Go) Feb 12, 2025
go-crypto-winnative BCryptGenerateSymmetricKey memory leak High
CVE-2025-25199 was published for github.com/microsoft/go-crypto-winnative (Go) Feb 12, 2025
clarkb7
Unencrypted transmission in Temporal api-go library Low
CVE-2025-1243 was published for go.temporal.io/api (Go) Feb 12, 2025
Distribution's token authentication allows to inject an untrusted signing key in a JWT High
CVE-2025-24976 was published for github.com/distribution/distribution/v3 (Go) Feb 11, 2025
evanebb
SFTPGo has insufficient sanitization of user provided rsync command High
CVE-2025-24366 was published for github.com/drakkan/sftpgo (Go) Feb 7, 2025
ateamjkr
WhoDB allows parameter injection in DB connection URIs leading to local file inclusion High
CVE-2025-24787 was published for github.com/clidey/whodb/core (Go) Feb 6, 2025
nnsee modelorona
hkdeman
WhoDB has a path traversal opening Sqlite3 database Critical
CVE-2025-24786 was published for github.com/clidey/whodb/core (Go) Feb 6, 2025
nnsee modelorona
hkdeman
Plenti - Code Injection - Denial of Services Moderate
GHSA-mj4v-hp69-27x5 was published for github.com/plentico/plenti (Go) Feb 5, 2025
ahmetak4n
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database