Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,669
Erlang
34
GitHub Actions
26
Go
2,262
Maven
5,000+
npm
3,912
NuGet
705
pip
3,681
Pub
12
RubyGems
916
Rust
943
Swift
38
Unreviewed advisories
All unreviewed
5,000+

1,363 advisories

Loading
NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file Low
CVE-2025-46328 was published for snowflake-sdk (npm) Apr 28, 2025
Go Snowflake Driver has race condition when checking access to Easy Logging configuration file Low
CVE-2025-46327 was published for github.com/snowflakedb/gosnowflake (Go) Apr 28, 2025
Snowflake Connector for .NET has race condition when checking access to Easy Logging configuration file Low
CVE-2025-46326 was published for Snowflake.Data (NuGet) Apr 28, 2025
Apereo CAS code injection vulnerability Low
CVE-2025-3984 was published for org.apereo.cas:cas-management-webapp-support (Maven) Apr 27, 2025
markdownify allows large headline prefixes such as <h9999999>, which causes memory consumption Low
CVE-2025-46656 was published for markdownify (pip) Apr 27, 2025
Moodle has a CSRF risk in user tours manager that allows tour duplication Low
CVE-2025-3635 was published for moodle/moodle (Composer) Apr 25, 2025
Moodle's mod_data edit/delete pages pass CSRF token in GET parameter Low
CVE-2025-3637 was published for moodle/moodle (Composer) Apr 25, 2025
Moodle has a CSRF risk in Brickfield tool's analysis request action Low
CVE-2025-3638 was published for moodle/moodle (Composer) Apr 25, 2025
Mattermost Playbooks fails to properly validate permissions Low
CVE-2025-41423 was published for github.com/mattermost/mattermost-plugin-playbooks (Go) Apr 24, 2025
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415 Low
GHSA-5w6v-399v-w3cc was published for nokogiri (RubyGems) Apr 21, 2025
OpenCMS Cross-Site Scripting vulnerability Low
CVE-2024-42699 was published for org.opencms:opencms-core (Maven) Apr 21, 2025
Mattermost doesn't restrict domains LLM can request to contact upstream Low
CVE-2025-31363 was published for github.com/mattermost/mattermost/server/v8 (Go) Apr 16, 2025
Mattermost Incorrect Authorization vulnerability Low
CVE-2025-24839 was published for github.com/mattermost/mattermost/server/v8 (Go) Apr 16, 2025
Mattermost Missing Authentication for Critical Function Low
CVE-2025-27538 was published for github.com/mattermost/mattermost/server/v8 (Go) Apr 16, 2025
aws-cdk-lib's aspect order change causes different Permissions Boundary assigned to Role Low
GHSA-qc59-cxj2-c2w4 was published for aws-cdk-lib (npm) Apr 15, 2025
VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext Low
CVE-2025-32021 was published for weblate (pip) Apr 15, 2025
joonashak nijel
gersona
Mattermost Incorrect Authorization vulnerability Low
CVE-2025-2424 was published for github.com/mattermost/mattermost/server/v8 (Go) Apr 14, 2025
SurrealDB no JavaScript script function default timeout could facilitate DoS Low
GHSA-3824-qmfq-2qv7 was published for surrealdb (Rust) Apr 11, 2025
cure53
SurrealDB has local file read of 2-column TSV files via analyzers Low
GHSA-2cvj-g5r5-jrrg was published for surrealdb (Rust) Apr 10, 2025
cure53
Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint Low
CVE-2025-24866 was published for github.com/mattermost/mattermost/server/v8 (Go) Apr 10, 2025
Shopware default newsletter opt-in settings allow for mass sign-up abuse Low
CVE-2025-32378 was published for shopware/core (Composer) Apr 9, 2025
Pimcore's Admin Classic Bundle allows HTML Injection Low
CVE-2025-30166 was published for pimcore/admin-ui-classic-bundle (Composer) Apr 8, 2025
Tokio broadcast channel calls clone in parallel, but does not require `Sync` Low
GHSA-rr8g-9fpq-6wmg was published for tokio (Rust) Apr 7, 2025
React Draft Wysiwyg Cross-Site Scripting (XSS) via the Embedded Button Low
CVE-2025-3191 was published for react-draft-wysiwyg (npm) Apr 4, 2025
Next.js may leak x-middleware-subrequest-id to external hosts Low
CVE-2025-30218 was published for next (npm) Apr 2, 2025
Ry0taK takumi-san-ai
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database