Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,164
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,458
Pub
12
RubyGems
991
Rust
1,184
Swift
50
Unreviewed advisories
All unreviewed
5,000+

108 advisories

Loading
SimpleEval: Objects (including modules) can leak dangerous modules through to direct access inside the sandbox High
CVE-2026-32640 was published for simpleeval (pip) Mar 13, 2026
ByamB4 Credited to ByamB4 and danthedeckie danthedeckie danthedeckie
Winter vulnerable to privilege escalation by authenticated backend users Critical
CVE-2026-27591 was published for winter/wn-backend-module (Composer) Mar 12, 2026
skyhex19 Credited to skyhex19
django-unicorn affected by component state manipulation via unvalidated attribute access Moderate
CVE-2026-31815 was published for django-unicorn (pip) Mar 11, 2026
RinZ27 Credited to RinZ27
Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint High
CVE-2026-30822 was published for flowise (npm) Mar 6, 2026
yueyueL Credited to yueyueL
Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment High
CVE-2025-15602 was published for snipe/snipe-it (Composer) Mar 6, 2026
Craft CMS: Entries Authorship Spoofing via Mass Assignment Moderate
CVE-2026-28781 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am, RajChowdhury240, and rlarabee RajChowdhury240 RajChowdhury240
rlarabee rlarabee
Svelte SSR attribute spreading includes inherited properties from prototype chain Moderate
CVE-2026-27125 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State High
CVE-2026-22814 was published for @adonisjs/lucid (npm) Jan 13, 2026
wodzen Credited to wodzen
UmbracoForms Vulnerable to Remote Code Execution via Untrusted WSDL Compilation in Dynamic SOAP Client Generation Critical
CVE-2025-68924 was published for UmbracoForms (NuGet) Jan 13, 2026
chudyPB Credited to chudyPB
An unauthenticated device registration vulnerability, caused by Improperly Controlled... Moderate Unreviewed
CVE-2025-9315 was published Dec 10, 2025
mdast-util-to-hast has unsanitized class attribute Moderate
CVE-2025-66400 was published for mdast-util-to-hast (npm) Dec 2, 2025
maxminddb's `Reader::open_mmap` unsoundly marks unsafe memmap operation as safe Low
GHSA-mj73-j457-8x9q was published for maxminddb (Rust) Dec 2, 2025
oschwald Credited to oschwald
Withdrawn Advisory: express improperly controls modification of query properties Low
CVE-2024-51999 was published for express (npm) Dec 1, 2025 withdrawn
ctcpip Credited to ctcpip, wesleytodd, jonchurch, bjohansebas, and UlisesGascon wesleytodd wesleytodd
jonchurch jonchurch bjohansebas bjohansebas UlisesGascon UlisesGascon
Drupal core allows Object Injection Moderate
CVE-2025-13081 was published for drupal/core (Composer) Nov 18, 2025
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc High
CVE-2025-70559 was published for pdfminer.six (pip) Nov 7, 2025
sumanrox Credited to sumanrox
HCL MyXalytics: 6.6.  is affected by Mass Assignment vulnerability. Mass Assignment occurs when... High Unreviewed
CVE-2025-52656 was published Oct 3, 2025
A mass assignment vulnerability exists in danny-avila/librechat, affecting all versions. This... Moderate Unreviewed
CVE-2025-7104 was published Sep 29, 2025
DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more Critical
CVE-2025-58367 was published for deepdiff (pip) Sep 3, 2025
diogotcorreia Credited to diogotcorreia
handcraftedinthealps/goodby-csv has Potential Gadget Chain allowing Remote Code Execution Low
CVE-2025-49597 was published for handcraftedinthealps/goodby-csv (Composer) Jun 13, 2025
mcdruid Credited to mcdruid
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability Moderate
CVE-2025-31674 was published for drupal/core (Composer) Apr 1, 2025
Mesop Class Pollution vulnerability leads to DoS and Jailbreak attacks High
CVE-2025-30358 was published for mesop (pip) Mar 27, 2025
jackfromeast Credited to jackfromeast and superboy-zjc superboy-zjc superboy-zjc
In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation... Moderate Unreviewed
CVE-2024-10359 was published Mar 20, 2025
Camaleon CMS Vulnerable to Privilege Escalation through a Mass Assignment Critical
CVE-2025-2304 was published for camaleon_cms (RubyGems) Mar 14, 2025
Django-Unicorn Class Pollution Vulnerability, Leading to XSS, DoS and Authentication Bypass Critical
CVE-2025-24370 was published for django-unicorn (pip) Feb 3, 2025
superboy-zjc Credited to superboy-zjc and jackfromeast jackfromeast jackfromeast
Apache Struts file upload logic is flawed Critical
CVE-2024-53677 was published for org.apache.struts:struts2-core (Maven) Dec 11, 2024
chximn-dt Credited to chximn-dt
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database