Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,635
Maven
5,000+
npm
4,262
NuGet
760
pip
4,057
Pub
12
RubyGems
956
Rust
1,054
Swift
45
Unreviewed advisories
All unreviewed
5,000+

24,600 advisories

Loading
ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
GHSA-vfpf-xmwh-8m65 was published for prosemirror_to_html (RubyGems) Nov 7, 2025
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc High
GHSA-f83h-ghpp-7wcc was published for pdfminer.six (pip) Nov 7, 2025
sumanrox
Credited to sumanrox
Arbitrary Code Execution in pdfminer.six via Crafted PDF Input High
GHSA-wf5f-4jwr-ppcp was published for pdfminer.six (pip) Nov 7, 2025
mtolley
Credited to mtolley
KubeVirt Vulnerable to Arbitrary Host File Read and Write High
CVE-2025-64324 was published for github.com/kubevirt/kubevirt (Go) Nov 7, 2025
mihailkirov Faeris95
jean-edouard
Credited to mihailkirov, Faeris95, and jean-edouard
AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64 Moderate
CVE-2025-57697 was published for AstrBot (pip) Nov 7, 2025
AstrBot contains a directory traversal vulnerability High
CVE-2025-57698 was published for AstrBot (pip) Nov 7, 2025
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events High
CVE-2025-64496 was published for open-webui (npm) Nov 7, 2025
vitalysim
Credited to vitalysim
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE High
CVE-2025-64495 was published for open-webui (npm) Nov 7, 2025
gg0h
Credited to gg0h
Nuxt DevTools vulnerable to cross-site scripting (XSS) Moderate
CVE-2025-52662 was published for @nuxt/devtools (npm) Nov 7, 2025
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files Low
CVE-2025-48985 was published for ai (npm) Nov 7, 2025
Soft Serve does not sanitize ANSI escape sequences in user input Moderate
CVE-2025-64494 was published for github.com/charmbracelet/soft-serve (Go) Nov 6, 2025
Tomer-PL caarlos0
Credited to Tomer-PL and caarlos0
KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes Moderate
CVE-2025-64437 was published for github.com/kubevirt/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
Credited to mihailkirov and Faeris95
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes Moderate
CVE-2025-64436 was published for github.com/kubevirt/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
Credited to mihailkirov and Faeris95
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation Moderate
CVE-2025-64435 was published for github.com/kubevirt/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
Credited to mihailkirov and Faeris95
KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing Moderate
CVE-2025-64434 was published for kubevirt.io/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
Credited to mihailkirov and Faeris95
KubeVirt Arbitrary Container File Read Moderate
CVE-2025-64433 was published for github.com/kubevirt/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
Credited to mihailkirov and Faeris95
KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer Moderate
CVE-2025-64432 was published for kubevirt.io/kubevirt (Go) Nov 6, 2025
mihailkirov Faeris95
Credited to mihailkirov and Faeris95
containerd CRI server: Host memory exhaustion through Attach goroutine leak Moderate
CVE-2025-64329 was published for github.com/containerd/containerd (Go) Nov 6, 2025
Wheat2018
Credited to Wheat2018
MQTT does not validate hostnames High
CVE-2025-12790 was published for mqtt (RubyGems) Nov 6, 2025
Apollo Router Affected by an Access Control Bypass on Polymorphic Types High
CVE-2025-64173 was published for apollo-router (Rust) Nov 6, 2025
dariuszkuc
Credited to dariuszkuc
Apollo Router Improperly Enforces Renamed Access Control Directives High
CVE-2025-64347 was published for apollo-router (Rust) Nov 6, 2025
sachindshinde
Credited to sachindshinde
Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
GHSA-52c5-vh7f-26fx was published for prosemirror_to_html (RubyGems) Nov 6, 2025
polypixeldev Luke-Oldenburg
Spone 9021007
Credited to polypixeldev, Luke-Oldenburg, Spone, and 9021007
OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses Low
GHSA-w2jf-268q-mrvh was published for github.com/opentofu/opentofu (Go) Nov 6, 2025
Open redirect endpoint in Datasette Low
CVE-2025-64481 was published for datasette (pip) Nov 6, 2025
jamesjefferies
Credited to jamesjefferies
containerd affected by a local privilege escalation via wide permissions on CRI directory High
CVE-2024-25621 was published for github.com/containerd/containerd (Go) Nov 6, 2025
dgl
Credited to dgl
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database