Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,049
Maven
5,000+
npm
4,787
NuGet
825
pip
4,384
Pub
12
RubyGems
988
Rust
1,144
Swift
50
Unreviewed advisories
All unreviewed
5,000+

35 advisories

Loading
React Server Components have multiple Denial of Service Vulnerabilities High
CVE-2026-23864 was published for react-server-dom-parcel (npm) Jan 29, 2026
mufeedvh Credited to mufeedvh, Ry0taK, jviide, and marckwei Ry0taK Ry0taK
jviide jviide marckwei marckwei
Next Vulnerable to Denial of Service with Server Components High
GHSA-mwv6-3258-q52c was published for next (npm) Dec 11, 2025
Ry0taK Credited to Ry0taK
Denial of Service Vulnerability in React Server Components High
CVE-2025-55184 was published for react-server-dom-parcel (npm) Dec 11, 2025
Ry0taK Credited to Ry0taK
@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server Critical
CVE-2025-67489 was published for @vitejs/plugin-rsc (npm) Dec 8, 2025
xdavidhu Credited to xdavidhu and Ry0taK Ry0taK Ry0taK
Claude Code Command Validation Bypass Allows Arbitrary Code Execution High
CVE-2025-66032 was published for @anthropic-ai/claude-code (npm) Dec 3, 2025
Ry0taK Credited to Ry0taK
Gogs allows deletion of internal files which leads to remote command execution Critical
CVE-2024-56731 was published for gogs.io/gogs (Go) Jun 24, 2025
Ry0taK Credited to Ry0taK
Argo CD allows cross-site scripting on repositories page Critical
CVE-2025-47933 was published for github.com/argoproj/argo-cd (Go) May 28, 2025
Ry0taK Credited to Ry0taK and crenshaw-dev crenshaw-dev crenshaw-dev
Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration Moderate
CVE-2025-31483 was published for miniflux.app/v2 (Go) Apr 4, 2025
Ry0taK Credited to Ry0taK and takumi-san-ai takumi-san-ai takumi-san-ai
Next.js may leak x-middleware-subrequest-id to external hosts Low
CVE-2025-30218 was published for next (npm) Apr 2, 2025
Ry0taK Credited to Ry0taK and takumi-san-ai takumi-san-ai takumi-san-ai
Git LFS permits exfiltration of credentials via crafted HTTP URLs High
CVE-2024-53263 was published for github.com/git-lfs/git-lfs (Go) Jan 14, 2025
Ry0taK Credited to Ry0taK
WireGuard Portal v2 Vulnerable to OAuth Insecure Redirect URI / Account Takeover High
GHSA-2r2v-9pf8-6342 was published for github.com/h44z/wg-portal (Go) Jan 7, 2025
Ry0taK Credited to Ry0taK
Marp Core allows XSS by improper neutralization of HTML sanitization Moderate
CVE-2024-56510 was published for @marp-team/marp-core (npm) Dec 26, 2024
Ry0taK Credited to Ry0taK
Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts Moderate
CVE-2024-53858 was published for github.com/cli/cli/v2 (Go) Nov 27, 2024
BagToad Credited to BagToad, andyfeller, williammartin, jtmcg, and Ry0taK andyfeller andyfeller
williammartin williammartin jtmcg jtmcg Ry0taK Ry0taK
`auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace Moderate
CVE-2024-53859 was published for github.com/cli/go-gh (Go) Nov 27, 2024
BagToad Credited to BagToad, williammartin, andyfeller, jtmcg, and Ry0taK williammartin williammartin
andyfeller andyfeller jtmcg jtmcg Ry0taK Ry0taK
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer High
CVE-2024-52308 was published for github.com/cli/cli (Go) Nov 14, 2024
sarahbarili Credited to sarahbarili, cmbrose, BlueSzy, andyfeller, BagToad, and Ry0taK cmbrose cmbrose
BlueSzy BlueSzy andyfeller andyfeller BagToad BagToad Ry0taK Ry0taK
Nuxt vulnerable to remote code execution via the browser when running the test locally Critical
CVE-2024-34344 was published for nuxt (npm) Aug 5, 2024
Ry0taK Credited to Ry0taK
Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain High
CVE-2024-34069 was published for Werkzeug (pip) May 6, 2024
Ry0taK Credited to Ry0taK
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter Moderate
CVE-2024-34064 was published for Jinja2 (pip) May 6, 2024
Ry0taK Credited to Ry0taK
yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581) High
CVE-2024-22423 was published for yt-dlp (pip) Apr 10, 2024
Ry0taK Credited to Ry0taK, Grub4K, and pukkandan Grub4K Grub4K
pukkandan pukkandan
Cross-site scripting on application summary component Critical
CVE-2024-28175 was published for github.com/argoproj/argo-cd (Go) Mar 15, 2024
Ry0taK Credited to Ry0taK, agaudreault, and crenshaw-dev agaudreault agaudreault
crenshaw-dev crenshaw-dev
RSSHub Cross-site Scripting vulnerability caused by internal media proxy Moderate
CVE-2024-27926 was published for rsshub (npm) Mar 6, 2024
Ry0taK Credited to Ry0taK
Deno's deno_runtime vulnerable to interactive permission prompt spoofing via improper ANSI stripping High
CVE-2024-27936 was published for deno (Rust) Mar 5, 2024
Ry0taK Credited to Ry0taK and westonsteimel westonsteimel westonsteimel
SvelteKit framework has Insufficient CSRF protection for CORS requests High
CVE-2023-29008 was published for @sveltejs/kit (npm) Apr 7, 2023
Ry0taK Credited to Ry0taK, benmccann, dominikg, and Conduitry benmccann benmccann
dominikg dominikg Conduitry Conduitry
rsshub vulnerable to Cross-site Scripting via unvalidated URL parameters Moderate
CVE-2023-26491 was published for rsshub (npm) Mar 1, 2023
Ry0taK Credited to Ry0taK
URI validation failure on SVG parsing. Bypass of CVE-2023-23924 Critical
CVE-2023-24813 was published for dompdf/dompdf (Composer) Feb 7, 2023
Ry0taK Credited to Ry0taK
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database