Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,812
Maven
5,000+
npm
4,426
NuGet
773
pip
4,203
Pub
12
RubyGems
968
Rust
1,086
Swift
47
Unreviewed advisories
All unreviewed
5,000+

25,344 advisories

Loading
terminal-controller-mcp vulnerable to Command Injection Critical
CVE-2025-61492 was published for terminal-controller (pip) Jan 7, 2026
fast-filesystem-mcp has a Path Traversal vulnerability High
CVE-2025-67364 was published for fast-filesystem-mcp (npm) Jan 7, 2026
Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests Critical
CVE-2025-12543 was published for io.undertow:undertow-core (Maven) Jan 7, 2026
RustFS Path Traversal Vulnerability High
CVE-2025-68705 was published for rustfs (Rust) Jan 7, 2026
Quarkus REST has potential worker thread starvation when HTTP connection is closed while waiting to write Moderate
CVE-2025-66560 was published for io.quarkus:quarkus-rest (Maven) Jan 7, 2026
Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools High
CVE-2025-9611 was published for @playwright/mcp (npm) Jan 7, 2026
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware Critical
CVE-2026-0650 was published for github.com/openflagr/flagr (Go) Jan 7, 2026
carbone Code Injection vulnerability Low
CVE-2024-14020 was published for carbone (npm) Jan 7, 2026
Directus has open redirect in SAML Moderate
CVE-2026-22032 was published for @directus/api (npm) Jan 6, 2026
im-soohyun Seeunsama
Credited to im-soohyun and Seeunsama
rsa crate has potential panic on a prime being equal to 1 Low
CVE-2026-21895 was published for rsa (Rust) Jan 6, 2026
invd
Credited to invd
Parsl Monitoring Visualization Vulnerable to SQL Injection Moderate
CVE-2026-21892 was published for parsl (pip) Jan 6, 2026
viralvaghela
Credited to viralvaghela
Bypassing Kyverno Policies via Double Policy Exceptions Critical
GHSA-gg4x-fgg2-h9w9 was published for github.com/kyverno/kyverno (Go) Jan 6, 2026
r0binak
Credited to r0binak
Bokeh server applications have Incomplete Origin Validation in WebSockets Moderate
CVE-2026-21883 was published for bokeh (pip) Jan 6, 2026
katzj
Credited to katzj
n8n Vulnerable to RCE via Arbitrary File Write Critical
CVE-2026-21877 was published for n8n (npm) Jan 6, 2026
theolelasseux
Credited to theolelasseux
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability Moderate
CVE-2026-21859 was published for github.com/axllent/mailpit (Go) Jan 6, 2026
omarkurt
Credited to omarkurt
MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download Moderate
CVE-2026-21851 was published for monai (pip) Jan 6, 2026
yueyueL
Credited to yueyueL
Pterodactyl TOTPs can be reused during validity window Moderate
CVE-2025-69197 was published for pterodactyl/panel (Composer) Jan 6, 2026
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced High
CVE-2025-68954 was published for github.com/pterodactyl/wings (Composer) Jan 6, 2026
real2two
Credited to real2two
AIOHTTP Vulnerable to Cookie Parser Warning Storm Low
CVE-2025-69230 was published for aiohttp (pip) Jan 5, 2026
Finder16
Credited to Finder16
AIOHTTP vulnerable to DoS through chunked messages Moderate
CVE-2025-69229 was published for aiohttp (pip) Jan 5, 2026
Finder16
Credited to Finder16
AIOHTTP vulnerable to denial of service through large payloads Moderate
CVE-2025-69228 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma Finder16
Credited to ThomasRinsma and Finder16
AIOHTTP vulnerable to DoS when bypassing asserts Moderate
CVE-2025-69227 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma
Credited to ThomasRinsma
AIOHTTP vulnerable to brute-force leak of internal static file path components Low
CVE-2025-69226 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma
Credited to ThomasRinsma
AIOHTTP has unicode match groups in regexes for ASCII protocol elements Low
CVE-2025-69225 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma
Credited to ThomasRinsma
AIOHTTP's unicode processing of header values could cause parsing discrepancies Low
CVE-2025-69224 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma
Credited to ThomasRinsma
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database