Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,717
Maven
5,000+
npm
4,328
NuGet
761
pip
4,105
Pub
12
RubyGems
958
Rust
1,065
Swift
45
Unreviewed advisories
All unreviewed
5,000+

439 advisories

Loading
MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL Critical
CVE-2025-66401 was published for mcp-watch (npm) Dec 2, 2025
viralvaghela
Credited to viralvaghela
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer High
CVE-2025-62703 was published for fugue (pip) Nov 25, 2025
Chenpinji
Credited to Chenpinji
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes High
CVE-2025-64755 was published for @anthropic-ai/claude-code (npm) Nov 20, 2025
glob CLI: Command injection via -c/--cmd executes matches with shell:true High
CVE-2025-64756 was published for glob (npm) Nov 17, 2025
Gyde04 aisle-research
G-Rath bchew qwilr-altonius llwslc EinfachHans skremiec AlanGreene isaacs
Credited to Gyde04, aisle-research, G-Rath, bchew, qwilr-altonius, llwslc, EinfachHans, skremiec, AlanGreene, and isaacs
pgAdmin 4 has command injection vulnerability on Windows systems Moderate
CVE-2025-12763 was published for pgadmin4 (pip) Nov 13, 2025
motionEye vulnerable to RCE via unsanitized motion config parameter High
CVE-2025-60787 was published for motioneye (pip) Nov 3, 2025
prabhatverma47 MichaIng
Credited to prabhatverma47 and MichaIng
@react-native-community/cli has arbitrary OS command injection Critical
CVE-2025-11953 was published for @react-native-community/cli (npm) Nov 3, 2025
Malayke cylewaitforit
liamjones conorfitch
Credited to Malayke, cylewaitforit, liamjones, and conorfitch
Apache Airflow has a command injection vulnerability in "example_dag_decorator" Moderate
CVE-2025-54941 was published for apache-airflow (pip) Oct 30, 2025
FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name Moderate
CVE-2025-62801 was published for fastmcp (pip) Oct 29, 2025
nil340
Credited to nil340
Jenkins Azure CLI Plugin does not restrict the commands it executes High
CVE-2025-64140 was published for org.jenkins-ci.plugins:azure-cli (Maven) Oct 29, 2025
Kottster app reinitialization can be re-triggered allowing command injection in development mode High
CVE-2025-62713 was published for @kottster/server (npm) Oct 23, 2025
P0cas
Credited to P0cas
NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow Critical
CVE-2025-54469 was published for github.com/neuvector/neuvector (Go) Oct 21, 2025
Netty has SMTP Command Injection Vulnerability that Allows Email Forgery High
CVE-2025-59419 was published for io.netty:netty-codec-smtp (Maven) Oct 15, 2025
DepthFirstDisclosures
Credited to DepthFirstDisclosures
n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host High
GHSA-365g-vjw2-grx8 was published for n8n (npm) Oct 9, 2025
check-branches is vulnerable to command Injection Critical
CVE-2025-11148 was published for check-branches (npm) Sep 30, 2025
lirantal
Credited to lirantal
Argument injection vulnerability in SonarQube Scan Action High
CVE-2025-59844 was published for SonarSource/sonarqube-scan-action (GitHub Actions) Sep 26, 2025
Command Injection in adb-mcp MCP Server Critical
CVE-2025-59834 was published for adb-mcp (npm) Sep 24, 2025
lirantal
Credited to lirantal
`git-comiters` Command Injection vulnerability High
CVE-2025-59831 was published for git-commiters (npm) Sep 22, 2025
lirantal
Credited to lirantal
Flowise has unsandboxed remote code execution via Custom MCP High
GHSA-6933-jpx5-q87q was published for flowise (npm) Sep 15, 2025
assaf-levkovich-jf
Credited to assaf-levkovich-jf
mcp-kubernetes-server has an OS Command Injection vulnerability Critical
CVE-2025-59377 was published for mcp-kubernetes-server (pip) Sep 15, 2025
cai0duque
Credited to cai0duque
Chaos Controller Manager is vulnerable to OS command injection Critical
CVE-2025-59359 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Chaos Controller Manager is vulnerable to OS command injection Critical
CVE-2025-59361 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Chaos Controller Manager is vulnerable to OS command injection Critical
CVE-2025-59360 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email High
CVE-2025-59041 was published for @anthropic-ai/claude-code (npm) Sep 10, 2025
cai0duque
Credited to cai0duque
Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation Critical
CVE-2025-54123 was published for github.com/SpectoLabs/hoverfly (Go) Sep 10, 2025
Kr1shna4garwal
Credited to Kr1shna4garwal
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database