CARVIEW |
Select Language
HTTP/2 302
date: Tue, 22 Jul 2025 23:43:11 GMT
content-type: text/plain;charset=UTF-8
content-length: 20
location: https://github.com/advisories
cf-ray: 9636cc7a5de54e3d-BLR
cf-cache-status: EXPIRED
cache-control: public, max-age=14400
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: x-requested-with, x-spiferack, Accept-Encoding
content-security-policy: connect-src 'self' checkout.stripe.com https://checkout.stripe.com https://billing.stripe.com/session https://api.funcaptcha.com https://api.arkoselabs.com sentry.io api.github.com www.npmjs.com;default-src 'none';img-src * data: https://*.stripe.com;script-src 'self' data: 'unsafe-inline' https://checkout.stripe.com/checkout.js https://checkout.stripe.com https://js.stripe.com/v3 https://platform.twitter.com/widgets.js https://octocaptcha.com https://static-production.npmjs.com/;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://static-production.npmjs.com/;frame-src checkout.stripe.com https://checkout.stripe.com https://js.stripe.com/ https://octocaptcha.com;font-src https://fonts.gstatic.com https://static-production.npmjs.com/ ;media-src https://player.vimeo.com https://fpdl.vimeocdn.com https://gcs-vimeo.akamaized.net https://vod-progressive.akamaized.net
npm-cost: 1
npm-remaining: 99
x-content-security-policy: connect-src 'self' checkout.stripe.com https://checkout.stripe.com https://billing.stripe.com/session https://api.funcaptcha.com https://api.arkoselabs.com sentry.io api.github.com www.npmjs.com;default-src 'none';img-src * data: https://*.stripe.com;script-src 'self' data: 'unsafe-inline' https://checkout.stripe.com/checkout.js https://checkout.stripe.com https://js.stripe.com/v3 https://platform.twitter.com/widgets.js https://octocaptcha.com https://static-production.npmjs.com/;style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://static-production.npmjs.com/;frame-src checkout.stripe.com https://checkout.stripe.com https://js.stripe.com/ https://octocaptcha.com;font-src https://fonts.gstatic.com https://static-production.npmjs.com/ ;media-src https://player.vimeo.com https://fpdl.vimeocdn.com https://gcs-vimeo.akamaized.net https://vod-progressive.akamaized.net
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
set-cookie: __cf_bm=acuhS13GNhoXaaHCPm3TJcxd26R7mV75E5IuZo041O0-1753227791-1.0.1.1-T4ey0dyFPwSicUgHMoDOOkNOOq8zYYiJrKubv47AqgjVxV5JG1GPGyBZw2GVR0ra64ss9Ng29yYPb51wSMUoWPyy1Jiw3yxZk10ek8okMSw; path=/; expires=Wed, 23-Jul-25 00:13:11 GMT; domain=.npmjs.com; HttpOnly; Secure; SameSite=None
server: cloudflare
HTTP/2 200
date: Tue, 22 Jul 2025 23:43:12 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"bcf67c967c77217e0dc805fae80e901c"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=NpH3F1zWzPUVaBpBKD30HpEjmHAPnPwEQixgKQi1y%2FITJ62ZwZAagdcaiZlEDqcLscUB7GuCmmvEIfkes70aQpGArEYhAptdZ56dzYiFXOyluwi48klzGoQ6ZVsf5%2BozamNUR2a0krgdjkyLEOn07forf3Gdm%2F3tT1vxfskP42fTManssmIiovD47V6iBfD6t2aWPJhOlEmGARKQmTlmE25s6SPfx2mRQUDIKVS1ihVN8J9kAIbygL%2Bn4jlDTr3TStRTCqhdpQZKphR8vXL%2B%2FQ%3D%3D--vOjKM81Wp5aPdYSm--IHgKdHltxz%2BYpkkFYkcJyw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.2025697481.1753227791; Path=/; Domain=github.com; Expires=Wed, 22 Jul 2026 23:43:11 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Wed, 22 Jul 2026 23:43:11 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: ED02:3CF5A2:1CB442:27A5CD:6880220F
GitHub Advisory Database · GitHub
Loading
Skip to content
Navigation Menu
GitHub Advisory Database
{{ message }}
GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,809
Erlang
36
GitHub Actions
31
Go
2,393
Maven
5,000+
npm
4,026
NuGet
720
pip
3,818
Pub
12
RubyGems
932
Rust
988
Swift
38
Unreviewed advisories
All unreviewed
5,000+
23,242 advisories
Filter by severity
Ollama vulnerable to Cross-Domain Token Exposure
Moderate
CVE-2025-51471
was published
for
github.com/ollama/ollama
(Go)
Jul 22, 2025
Aim vulnerable to Cross-site Scripting
Moderate
CVE-2025-51464
was published
for
aim
(pip)
Jul 22, 2025
Dagster Local File Inclusion vulnerability
Moderate
CVE-2025-51481
was published
for
dagster
(pip)
Jul 22, 2025
Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources
High
CVE-2025-53942
was published
for
goauthentik.io
(Go)
Jul 22, 2025
Kyverno's Improper JMESPath Variable Evaluation Lead to Denial of Service
High
CVE-2025-47281
was published
for
github.com/kyverno/kyverno
(Go)
Jul 22, 2025
Femanager extension for TYPO3 allows Insecure Direct Object Reference
Moderate
CVE-2025-7900
was published
for
in2code/femanager
(Composer)
Jul 22, 2025
Powermail extension for TYPO3 allows Insecure Direct Object Reference
Moderate
CVE-2025-7899
was published
for
in2code/powermail
(Composer)
Jul 22, 2025
`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write
High
CVE-2025-54140
was published
for
pyload-ng
(pip)
Jul 21, 2025
HAX CMS application pages vulnerable to clickjacking
Moderate
CVE-2025-54139
was published
for
@haxtheweb/haxcms-nodejs
(Composer)
Jul 21, 2025
LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE
High
CVE-2025-54138
was published
for
librenms/librenms
(Composer)
Jul 21, 2025
NodeJS version of the HAX CMS application is distributed with Default Secrets
High
CVE-2025-54137
was published
for
@haxtheweb/haxcms-nodejs
(npm)
Jul 21, 2025
HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
High
CVE-2025-54134
was published
for
@haxtheweb/haxcms-nodejs
(npm)
Jul 21, 2025
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
High
CVE-2025-54128
was published
for
@haxtheweb/haxcms-nodejs
(npm)
Jul 21, 2025
NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
Critical
CVE-2025-54127
was published
for
@haxtheweb/haxcms-nodejs
(npm)
Jul 21, 2025
Nokogiri patches vendored libxml2 to resolve multiple CVEs
Critical
GHSA-353f-x4gh-cqq8
was published
for
nokogiri
(RubyGems)
Jul 21, 2025
Starlette has possible denial-of-service vector when parsing large files in multipart forms
Moderate
CVE-2025-54121
was published
for
starlette
(pip)
Jul 21, 2025
Dolibarr has Remote Code Execution Vulnerability (Bypass)
High
GHSA-49xw-hw94-fmv2
was published
for
dolibarr/dolibarr
(Composer)
Jul 21, 2025
RageAgainstThePixel/setup-steamcmd leaked authentication token in job output logs
High
GHSA-c5qx-p38x-qf5w
was published
for
RageAgainstThePixel/setup-steamcmd
(GitHub Actions)
Jul 21, 2025
buildalon/setup-steamcmd leaked authentication token in job output logs
High
GHSA-mj96-mh85-r574
was published
for
buildalon/setup-steamcmd
(GitHub Actions)
Jul 21, 2025
nova-tiptap has Unauthenticated Arbitrary File Upload Vulnerability
Critical
CVE-2025-54082
was published
for
manogi/nova-tiptap
(Composer)
Jul 21, 2025
form-data uses unsafe random function in form-data for choosing boundary
Critical
CVE-2025-7783
was published
for
form-data
(npm)
Jul 21, 2025
Alchemy Non-SMA and Webauthn Account Security Advisory
High
GHSA-56r6-ccm5-8hg3
was published
for
@account-kit/smart-contracts
(npm)
Jul 21, 2025
@translated/lara-mcp vulnerable to command injection in import_tmx tool
High
CVE-2025-53832
was published
for
@translated/lara-mcp
(npm)
Jul 21, 2025
Cadwyn vulnerable to XSS on the docs page
Low
CVE-2025-53528
was published
for
cadwyn
(pip)
Jul 21, 2025
Apache Jena doesn't validate file access paths in configuration files uploaded by users with administrator access
High
CVE-2025-50151
was published
for
org.apache.jena:jena
(Maven)
Jul 21, 2025
ProTip!
Advisories are also available from the
GraphQL API
You can’t perform that action at this time.