Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,464
Erlang
33
GitHub Actions
22
Go
2,163
Maven
5,000+
npm
3,821
NuGet
696
pip
3,502
Pub
12
RubyGems
909
Rust
904
Swift
38
Unreviewed advisories
All unreviewed
5,000+

3,821 advisories

Loading
Directus allows updates to non-allowed fields due to overlapping policies Moderate
CVE-2025-27089 was published for @directus/api (npm) Feb 19, 2025
hanneskuettner
JSONPath Plus allows Remote Code Execution High
CVE-2025-1302 was published for jsonpath-plus (npm) Feb 15, 2025
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking Moderate
CVE-2025-25290 was published for @octokit/request (npm) Feb 14, 2025
ShiyuBanzhou MaikelvandenHurk-TomTom
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking Moderate
CVE-2025-25289 was published for @octokit/request-error (npm) Feb 14, 2025
ShiyuBanzhou
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking Moderate
CVE-2025-25288 was published for @octokit/plugin-paginate-rest (npm) Feb 14, 2025
ShiyuBanzhou MaikelvandenHurk-TomTom
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking Moderate
CVE-2025-25285 was published for @octokit/endpoint (npm) Feb 14, 2025
ShiyuBanzhou
Vega allows Cross-site Scripting via the vlSelectionTuples function Moderate
CVE-2025-25304 was published for vega (npm) Feb 14, 2025
FallingPineapples domoritz
DOMPurify allows Cross-site Scripting (XSS) Moderate
CVE-2025-26791 was published for dompurify (npm) Feb 14, 2025
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) Critical
GHSA-vjh7-7g9h-fjfh was published for elliptic (npm) Feb 12, 2025
ChALkeR jprichardson
parse-duration has a Regex Denial of Service that results in event loop delay and out of memory High
CVE-2025-25283 was published for parse-duration (npm) Feb 12, 2025
lirantal
Inefficient Regular Expression Complexity in koa Critical
CVE-2025-25200 was published for koa (npm) Feb 12, 2025
R4356th
Authentication bypass in @sap/approuter High
CVE-2025-24876 was published for @sap/approuter (npm) Feb 11, 2025
rosenblueh
Cross-site Scripting (XSS) in serialize-javascript Moderate
CVE-2024-11831 was published for serialize-javascript (npm) Feb 10, 2025
mhassan1
Unknown vulnerability in Coinbase Wallet SDK High
GHSA-8rgj-285w-qcq4 was published for @coinbase/wallet-sdk (npm) Feb 10, 2025
esbuild enables any website to send any requests to the development server and read the response Moderate
GHSA-67mh-4wv8-2f99 was published for esbuild (npm) Feb 10, 2025
sapphi-red
Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc Critical
CVE-2025-24981 was published for @nuxtjs/mdc (npm) Feb 6, 2025
lirantal
@rpldy/uploader prototype pollution High
CVE-2024-57082 was published for @rpldy/uploader (npm) Feb 6, 2025
yoavniran
@zag-js/core prototype pollution High
CVE-2024-57079 was published for @zag-js/core (npm) Feb 6, 2025
taraspos
eazy-logger prototype pollution High
CVE-2024-57075 was published for eazy-logger (npm) Feb 6, 2025
RDIL
utils-extend Prototype Pollution Critical
CVE-2024-57077 was published for utils-extend (npm) Feb 6, 2025
vxe-table prototype pollution High
CVE-2024-57080 was published for vxe-table (npm) Feb 6, 2025
@tanstack/form-core prototype pollution High
CVE-2024-57068 was published for @tanstack/form-core (npm) Feb 6, 2025
Balastrong
@ndhoule/defaults prototype pollution High
CVE-2024-57066 was published for @ndhoule/defaults (npm) Feb 6, 2025
module-from-string prototype pollution High
CVE-2024-57072 was published for module-from-string (npm) Feb 6, 2025
Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting) Critical
GHSA-9x4v-xfq5-m8x5 was published for better-auth (npm) Feb 5, 2025
Eriner
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database