Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,740
Maven
5,000+
npm
4,338
NuGet
765
pip
4,112
Pub
12
RubyGems
960
Rust
1,068
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,339 advisories

Loading
Flowise vulnerable to RCE via Dynamic function constructor injection Critical
CVE-2025-55346 was published for flowise (npm) Oct 6, 2025
assaf-levkovich-jf
Credited to assaf-levkovich-jf
Duplicate Advisory: Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel High
GHSA-7rgr-72hp-9wp3 was published for flowise (npm) Oct 6, 2025 withdrawn
Duplicate Advisory: Flowise Stored XSS vulnerability through logs in chatbot High
GHSA-wq95-wr7m-26h4 was published for flowise (npm) Oct 6, 2025 withdrawn
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function Moderate
CVE-2025-11287 was published for @samanhappy/mcphub (npm) Oct 5, 2025
MCPHub's ServerController is vulnerable to Command Injection Low
CVE-2025-11285 was published for @samanhappy/mcphub (npm) Oct 5, 2025
Flowise Stored XSS vulnerability through logs in chatbot Moderate
CVE-2025-29192 was published for flowise (npm) Oct 3, 2025
LIFE-team2024
Credited to LIFE-team2024
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel Critical
CVE-2025-50538 was published for flowise (npm) Oct 3, 2025
mikensec
Credited to mikensec
Flowise vulnerable to XSS Moderate
GHSA-4fr9-3x69-36wv was published for flowise (npm) Oct 3, 2025
quitbug
Credited to quitbug
Claude Code permission deny bypass through symlink Low
CVE-2025-59829 was published for @anthropic-ai/claude-code (npm) Oct 3, 2025
Claude Code can execute commands prior to the startup trust dialog High
CVE-2025-59536 was published for @anthropic-ai/claude-code (npm) Oct 3, 2025
Fiora chat user avatar is vulnerable to XSS via SVG files Low
CVE-2025-56514 was published for fiora (npm) Oct 1, 2025
Fiora chat group avatar is vulnerable to XSS via SVG files Low
CVE-2025-56515 was published for fiora (npm) Oct 1, 2025
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user High
CVE-2025-61668 was published for @plone/volto (npm) Oct 1, 2025
validator.js has a URL validation bypass vulnerability in its isURL function Moderate
CVE-2025-56200 was published for validator (npm) Sep 30, 2025
G-Rath Moumouls
aleyipsoftwire
Credited to G-Rath, Moumouls, and aleyipsoftwire
Finance.js vulnerable to DoS via the IRR function’s depth parameter High
CVE-2025-56571 was published for financejs (npm) Sep 30, 2025
Finance.js vulnerable to DoS via the seekZero() parameter High
CVE-2025-56572 was published for financejs (npm) Sep 30, 2025
figma-developer-mcp vulnerable to command injection in get_figma_data tool High
CVE-2025-53967 was published for figma-developer-mcp (npm) Sep 30, 2025
dellalibera
Credited to dellalibera
check-branches is vulnerable to command Injection Critical
CVE-2025-11148 was published for check-branches (npm) Sep 30, 2025
lirantal
Credited to lirantal
@nubosoftware/node-static failure to catch exception can result in server crash High
CVE-2025-11149 was published for @nubosoftware/node-static (npm) Sep 30, 2025
lirantal
Credited to lirantal
algoliasearch-helper is vulnerable to Prototype Pollution in _merge() Moderate
CVE-2025-3193 was published for algoliasearch-helper (npm) Sep 27, 2025
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass High
CVE-2025-59845 was published for @apollo/explorer (npm) Sep 26, 2025
ekzyis 0x9x-ui
Credited to ekzyis and 0x9x-ui
express-xss-sanitizer has an unbounded recursion depth Moderate
CVE-2025-59364 was published for express-xss-sanitizer (npm) Sep 26, 2025
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass Critical
CVE-2025-59936 was published for get-jwks (npm) Sep 26, 2025
epureionut99
Credited to epureionut99
cors-anywhere vulnerable to server-side request forgery Critical
CVE-2020-36851 was published for cors-anywhere (npm) Sep 25, 2025
apidoc-core is vulnerable to prototype pollution High
CVE-2025-57317 was published for apidoc-core (npm) Sep 25, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database