GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,362 advisories
Astro Cloudflare adapter has Stored Cross Site Scripting vulnerability in /_image endpoint
Moderate
CVE-2025-65019
was published
for
astro
(npm)
Nov 19, 2025
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
Moderate
CVE-2025-64765
was published
for
astro
(npm)
Nov 19, 2025
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
Moderate
CVE-2025-64758
was published
for
@dependencytrack/frontend
(npm)
Nov 17, 2025
Directus is Vulnerable to Stored Cross-site Scripting
Moderate
CVE-2025-64747
was published
for
directus
(npm)
Nov 14, 2025
Directus has Improper Permission Handling on Deleted Fields
Moderate
CVE-2025-64746
was published
for
directus
(npm)
Nov 14, 2025
js-yaml has prototype pollution in merge (<<)
Moderate
CVE-2025-64718
was published
for
js-yaml
(npm)
Nov 14, 2025
Directus Vulnerable to Information Leakage in Existing Collections
Moderate
CVE-2025-64749
was published
for
@directus/api
(npm)
Nov 13, 2025
Directus's conceal fields are searchable if read permissions enabled
Moderate
CVE-2025-64748
was published
for
@directus/api
(npm)
Nov 13, 2025
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
Moderate
CVE-2025-64525
was published
for
astro
(npm)
Nov 13, 2025
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
Moderate
CVE-2025-64502
was published
for
parse-server
(npm)
Nov 13, 2025
node-tar has a race condition leading to uninitialized memory exposure
Moderate
CVE-2025-64118
was published
for
tar
(npm)
Oct 30, 2025
NextAuthjs Email misdelivery Vulnerability
Moderate
GHSA-5jpx-9hw9-2fx4
was published
for
next-auth
(npm)
Oct 29, 2025
rollbar vulnerable to Prototype Pollution in merge()
Moderate
CVE-2025-62517
was published
for
rollbar
(npm)
Oct 23, 2025
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
Moderate
CVE-2025-62595
was published
for
koa
(npm)
Oct 21, 2025
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
Moderate
GHSA-vffh-c9pq-4crh
was published
for
uptime-kuma
(npm)
Oct 20, 2025
vite allows server.fs.deny bypass via backslash on Windows
Moderate
CVE-2025-62522
was published
for
vite
(npm)
Oct 20, 2025
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
Moderate
GHSA-xvp7-8vm8-xfxx
was published
for
@actual-app/sync-server
(npm)
Oct 20, 2025
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
Moderate
CVE-2025-53092
was published
for
@strapi/core
(npm)
Oct 16, 2025
ProTip!
Advisories are also available from the
GraphQL API