Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,874
Erlang
37
GitHub Actions
36
Go
2,520
Maven
5,000+
npm
4,160
NuGet
741
pip
3,961
Pub
12
RubyGems
946
Rust
1,028
Swift
39
Unreviewed advisories
All unreviewed
5,000+

415 advisories

Loading
`git-comiters` Command Injection vulnerability High
GHSA-g38c-wxjf-xrh6 was published for git-commiters (npm) Sep 22, 2025
lirantal
FitNesse allows execution of arbitrary OS commands Critical
CVE-2024-28125 was published for org.fitnesse:fitnesse (Maven) Mar 18, 2024
OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload High
CVE-2025-58180 was published for octoprint (pip) Sep 9, 2025
prabhatverma47
mcp-kubernetes-server has an OS Command Injection vulnerability Low
CVE-2025-59377 was published for mcp-kubernetes-server (pip) Sep 15, 2025
Chaos Controller Manager is vulnerable to OS command injection Critical
CVE-2025-59360 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Chaos Controller Manager is vulnerable to OS command injection Critical
CVE-2025-59359 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Chaos Controller Manager is vulnerable to OS command injection Critical
CVE-2025-59361 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Flowise has unsandboxed remote code execution via Custom MCP High
GHSA-6933-jpx5-q87q was published for flowise (npm) Sep 15, 2025
assaf-levkovich-jf
wong2 mcp-cli Command Injection Vulnerability Low
CVE-2025-9262 was published for @wong2/mcp-cli (npm) Aug 21, 2025
Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation Critical
CVE-2025-54123 was published for github.com/SpectoLabs/hoverfly (Go) Sep 10, 2025
Kr1shna4garwal
@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API Critical
CVE-2025-54994 was published for @akoskm/create-mcp-server-stdio (npm) Sep 8, 2025
lirantal
TkEasyGUI Vulnerable to OS Command Injection Critical
CVE-2025-55037 was published for TkEasyGUI (pip) Sep 5, 2025
XStream can be used for Remote Code Execution High
CVE-2020-26217 was published for com.thoughtworks.xstream:xstream (Maven) Nov 16, 2020
Valtimo scripting engine can be used to gain access to sensitive data or resources Critical
CVE-2025-58059 was published for com.ritense.valtimo:core (Maven) Aug 28, 2025
LLama Factory Remote OS Command Injection Vulnerability High
CVE-2024-52803 was published for llamafactory (pip) Nov 21, 2024
superboy-zjc
Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class Critical
CVE-2025-53623 was published for job-iteration (RubyGems) Jul 14, 2025
calysteon yehuda-alt
Flowise OS command remote code execution Critical
CVE-2025-8943 was published for flowise (npm) Aug 14, 2025
Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code High
CVE-2025-55284 was published for @anthropic-ai/claude-code (npm) Aug 18, 2025
OliveTin OS Command Injection vulnerability High
CVE-2025-50946 was published for github.com/OliveTin/OliveTin (Go) Aug 13, 2025
Withdrawn Advisory: Thor can construct an unsafe shell command from library input. High
CVE-2025-54314 was published for thor (RubyGems) Jul 20, 2025 withdrawn
odaysec
Withdrawn Advisory: bun vulnerable to OS Command Injection High
CVE-2025-8022 was published for bun (npm) Jul 23, 2025 withdrawn
lirantal
Claude Code echo command allowed bypass of user approval prompt for command execution High
CVE-2025-54795 was published for @anthropic-ai/claude-code (npm) Aug 4, 2025
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers Critical
CVE-2025-54782 was published for @nestjs/devtools-integration (npm) Aug 1, 2025
JLLeitschuh
Apache Spark UI can allow impersonation if ACLs enabled High
CVE-2022-33891 was published for org.apache.spark:spark-parent_2.12 (Maven) Jul 19, 2022
alowayed
Remote Code Execution Vulnerability in NPM mongo-express Critical
CVE-2019-10758 was published for mongo-express (npm) Dec 30, 2019
JLLeitschuh
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database