Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,690
Maven
5,000+
npm
4,320
NuGet
760
pip
4,096
Pub
12
RubyGems
958
Rust
1,063
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,321 advisories

Loading
Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default High
CVE-2025-66414 was published for @modelcontextprotocol/sdk (npm) Dec 2, 2025
mdast-util-to-hast has unsanitized class attribute Moderate
CVE-2025-66400 was published for mdast-util-to-hast (npm) Dec 2, 2025
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes High
CVE-2025-66412 was published for @angular/compiler (npm) Dec 2, 2025
alan-agius4 crisbeto
devversion AKiileX AndrewKushnir
Credited to alan-agius4, crisbeto, devversion, AKiileX, and AndrewKushnir
Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host Moderate
CVE-2025-66405 was published for @portkey-ai/gateway (npm) Dec 2, 2025
im-soohyun
Credited to im-soohyun
fastify-reply-from affected by bypass of reply forwarding Moderate
CVE-2025-66415 was published for @fastify/reply-from (npm) Dec 2, 2025
rozzilla
Credited to rozzilla
MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL Critical
CVE-2025-66401 was published for mcp-watch (npm) Dec 2, 2025
viralvaghela
Credited to viralvaghela
Better Auth affected by external request basePath modification DoS Low
GHSA-569q-mpph-wgww was published for better-auth (npm) Dec 1, 2025
goksan
Credited to goksan
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls Low
GHSA-rcmh-qjqh-p98v was published for nodemailer (npm) Dec 1, 2025
uko3211
Credited to uko3211
Withdrawn Advisory: express improperly controls modification of query properties Low
CVE-2024-51999 was published for express (npm) Dec 1, 2025 withdrawn
ctcpip wesleytodd
jonchurch bjohansebas UlisesGascon
Credited to ctcpip, wesleytodd, jonchurch, bjohansebas, and UlisesGascon
Tryton sao allows XSS because it does not escape completion values Moderate
CVE-2025-66421 was published for tryton-sao (npm) Nov 30, 2025
Tryton sao allows XSS via an HTML attachment Moderate
CVE-2025-66420 was published for tryton-sao (npm) Nov 30, 2025
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements High
CVE-2025-12758 was published for validator (npm) Nov 27, 2025
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client High
CVE-2025-66035 was published for @angular/common (npm) Nov 26, 2025
alan-agius4 AndrewKushnir
irsl hybrist AKiileX
Credited to alan-agius4, AndrewKushnir, irsl, hybrist, and AKiileX
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions Low
GHSA-wmjr-v86c-m9jj was published for better-auth (npm) Nov 26, 2025
mufeedvh
Credited to mufeedvh
willitmerge has a Command Injection vulnerability Moderate
CVE-2025-66219 was published for willitmerge (npm) Nov 26, 2025
lirantal
Credited to lirantal
node-forge has ASN.1 Unbounded Recursion High
CVE-2025-66031 was published for node-forge (npm) Nov 26, 2025
wodzen
Credited to wodzen
node-forge is vulnerable to ASN.1 OID Integer Truncation Moderate
CVE-2025-66030 was published for node-forge (npm) Nov 26, 2025
wodzen
Credited to wodzen
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization High
CVE-2025-12816 was published for node-forge (npm) Nov 26, 2025
wodzen sei-vsarvepalli
Credited to wodzen and sei-vsarvepalli
Valibot has a ReDoS vulnerability in `EMOJI_REGEX` High
CVE-2025-66020 was published for valibot (npm) Nov 26, 2025
makenowjust
Credited to makenowjust
OneUptime Unauthorized User Creation via API High
CVE-2025-65966 was published for @oneuptime/common (npm) Nov 26, 2025
SamirWaleed
Credited to SamirWaleed
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation Moderate
CVE-2025-66028 was published for @oneuptime/common (npm) Nov 25, 2025
SamirWaleed
Credited to SamirWaleed
Better Auth Passkey Plugin allows passkey deletion through IDOR High
GHSA-4vcf-q4xf-f48m was published for @better-auth/passkey (npm) Nov 25, 2025
goksan
Credited to goksan
body-parser is vulnerable to denial of service when url encoding is used Moderate
CVE-2025-13466 was published for body-parser (npm) Nov 25, 2025
Phillip9587 bjohansebas
UlisesGascon ctcpip sheplu jonchurch
Credited to Phillip9587, bjohansebas, UlisesGascon, ctcpip, sheplu, and jonchurch
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` Moderate
CVE-2025-65944 was published for @sentry/astro (npm) Nov 24, 2025
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage Moderate
CVE-2025-63700 was published for @clerk/clerk-js (npm) Nov 20, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database