Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,968
Erlang
39
GitHub Actions
38
Go
2,616
Maven
5,000+
npm
4,255
NuGet
760
pip
4,040
Pub
12
RubyGems
953
Rust
1,050
Swift
45
Unreviewed advisories
All unreviewed
5,000+

273 advisories

Loading
Karmada Dashboard API Unauthorized Access Vulnerability Critical
CVE-2025-62714 was published for github.com/karmada-io/dashboard (Go) Oct 24, 2025
warjiang noxosd
RainbowMango
Credited to warjiang, noxosd, and RainbowMango
NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow Critical
CVE-2025-54469 was published for github.com/neuvector/neuvector (Go) Oct 21, 2025
Cosmos EVM Vulnerability Critical
GHSA-8pfh-j44r-f654 was published for github.com/cosmos/evm (Go) Oct 21, 2025
NetBird VPN does not remove the default password of an admin account Critical
CVE-2025-10678 was published for github.com/netbirdio/netbird (Go) Oct 20, 2025
Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning Critical
CVE-2025-59823 was published for github.com/gardener/gardener-extension-provider-aws (Go) Sep 25, 2025
petersutter kon-angelo
hebelsan JordanJordanov donistz
Credited to petersutter, kon-angelo, hebelsan, JordanJordanov, and donistz
Chaos Controller Manager is vulnerable to OS command injection Critical
CVE-2025-59360 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Chaos Controller Manager is vulnerable to OS command injection Critical
CVE-2025-59361 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Chaos Controller Manager is vulnerable to OS command injection Critical
CVE-2025-59359 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation Critical
CVE-2025-54123 was published for github.com/SpectoLabs/hoverfly (Go) Sep 10, 2025
Kr1shna4garwal
Credited to Kr1shna4garwal
pREST has a Systemic SQL Injection Vulnerability Critical
CVE-2025-58450 was published for github.com/prest/prest/v2 (Go) Sep 8, 2025
v1ktor0t
Credited to v1ktor0t
Argo CD's Project API Token Exposes Repository Credentials Critical
CVE-2025-55190 was published for github.com/argoproj/argo-cd/v2 (Go) Sep 4, 2025
ntammineni5 34fathombelow
alexmt jannfis crenshaw-dev svghadi
Credited to ntammineni5, 34fathombelow, alexmt, jannfis, crenshaw-dev, and svghadi
NeuVector admin account has insecure default password Critical
CVE-2025-8077 was published for github.com/neuvector/neuvector (Go) Aug 28, 2025
HydrAIDE Authentication Bypass Vulnerability Critical
GHSA-qp7j-x725-g67f was published for github.com/hydraide/hydraide (Go) Aug 19, 2025
yyewolf
Credited to yyewolf
Capsule tenant owners with "patch namespace" permission can hijack system namespaces label Critical
CVE-2025-55205 was published for github.com/projectcapsule/capsule (Go) Aug 18, 2025
b0b0haha
Credited to b0b0haha
Privileged OpenBao Operator May Execute Code on the Underlying Host Critical
CVE-2025-54997 was published for github.com/openbao/openbao (Go) Aug 8, 2025
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration Critical
CVE-2025-6000 was published for github.com/hashicorp/vault (Go) Aug 1, 2025
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion Critical
CVE-2025-54576 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Jul 30, 2025
jennifer-recurity
Credited to jennifer-recurity
NVIDIA Container Toolkit for all platforms contains an Untrusted Search Path Critical
CVE-2025-23266 was published for github.com/NVIDIA/gpu-operator (Go) Jul 17, 2025
Gogs allows deletion of internal files which leads to remote command execution Critical
CVE-2024-56731 was published for gogs.io/gogs (Go) Jun 24, 2025
Ry0taK
Credited to Ry0taK
Mattermost allows authenticated users to write files to arbitrary locations Critical
CVE-2025-4981 was published for github.com/mattermost/mattermost-server (Go) Jun 20, 2025
Teleport allows remote authentication bypass Critical
CVE-2025-49825 was published for github.com/gravitational/teleport (Go) Jun 16, 2025
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user Critical
CVE-2025-49136 was published for github.com/knadh/listmonk (Go) Jun 9, 2025
nakkouchtarek
Credited to nakkouchtarek
Fabio allows HTTP clients to manipulate custom headers it adds Critical
CVE-2025-48865 was published for github.com/fabiolb/fabio (Go) May 29, 2025
47Cid
Credited to 47Cid
Argo CD allows cross-site scripting on repositories page Critical
CVE-2025-47933 was published for github.com/argoproj/argo-cd (Go) May 28, 2025
Ry0taK crenshaw-dev
Credited to Ry0taK and crenshaw-dev
Gardener allows metadata injection for a project secret which can lead to privilege escalation Critical
CVE-2025-47284 was published for github.com/gardener/gardener (Go) May 19, 2025
rfranzke donistz
timuthy JordanJordanov
Credited to rfranzke, donistz, timuthy, and JordanJordanov
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database