GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
25,014 advisories
Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments Moderate
CVE-2025-13877 was published for @nocobase/auth (npm) Dec 9, 2025
Shopware Storefront Reflected XSS in Storefront Login Page High
CVE-2025-67648 was published for shopware/shopware (Composer) Dec 9, 2025
SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475 Critical
GHSA-5j8p-438x-rgg5 was published for onelogin/php-saml (Composer) Dec 9, 2025
Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”) Critical
CVE-2025-67510 was published for neuron-core/neuron-ai (Composer) Dec 9, 2025
Neuron MySQLSelectTool “read-only” bypass via `SELECT ... INTO OUTFILE` (file write → potential RCE) High
CVE-2025-67509 was published for neuron-core/neuron-ai (Composer) Dec 9, 2025
Filament multi-factor authentication (app) recovery codes can be used multiple times High
CVE-2025-67507 was published for filament/filament (Composer) Dec 9, 2025
CNA Plugins Portmap nftables backend can intercept non-local traffic Moderate
CVE-2025-67499 was published for github.com/containernetworking/plugins (Go) Dec 9, 2025
SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin High
GHSA-4r66-7rcv-x46x was published for github.com/siyuan-note/siyuan/kernel (Go) Dec 9, 2025
SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE High
CVE-2025-67488 was published for github.com/siyuan-note/siyuan/kernel (Go) Dec 9, 2025
HTTP/HTTPS Traffic Interception Bypass in mad-proxy Moderate
CVE-2025-67485 was published for mad-proxy (pip) Dec 9, 2025
RCE via ZipSlip and symbolic links in argoproj/argo-workflows High
CVE-2025-66626 was published for github.com/argoproj/argo-workflows (Go) Dec 9, 2025
Elysia affected by arbitrary code injection through cookie config High
CVE-2025-66457 was published for elysia (npm) Dec 9, 2025
Elysia vulnerable to prototype pollution with multiple standalone schema validation Critical
CVE-2025-66456 was published for elysia (npm) Dec 9, 2025
Open Redirect Vulnerability in Taguette Moderate
CVE-2025-67502 was published for taguette (pip) Dec 9, 2025
NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read High
CVE-2025-66645 was published for nicegui (pip) Dec 9, 2025
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login High
CVE-2025-67495 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login High
GHSA-pfrf-9r5f-73f5 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login Critical
CVE-2025-67494 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
Static Web Server vulnerable to a symbolic link path traversal Moderate
CVE-2025-67487 was published for static-web-server (Rust) Dec 8, 2025
ProTip! Advisories are also available from the GraphQL API