GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
24,064 advisories
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink
High
CVE-2025-59430
was published
for
@meshconnect/web-link-sdk
(npm)
Sep 22, 2025
CodeChecker has a buffer overflow in the log command
Moderate
CVE-2025-40843
was published
for
codechecker
(pip)
Sep 22, 2025
Mailgen: HTML injection vulnerability in plaintext e-mails
Moderate
CVE-2025-59526
was published
for
mailgen
(npm)
Sep 22, 2025
`git-comiters` Command Injection vulnerability
High
CVE-2025-59831
was published
for
git-commiters
(npm)
Sep 22, 2025
@conventional-changelog/git-client has Argument Injection vulnerability
Moderate
CVE-2025-59433
was published
for
@conventional-changelog/git-client
(npm)
Sep 22, 2025
Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)
High
CVE-2025-59420
was published
for
authlib
(pip)
Sep 22, 2025
The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.
High
CVE-2025-9905
was published
for
keras
(pip)
Sep 19, 2025
Keras is vulnerable to Deserialization of Untrusted Data
High
CVE-2025-9906
was published
for
keras
(pip)
Sep 19, 2025
@digitalocean/do-markdownit has Type Confusion vulnerability
Moderate
CVE-2025-59717
was published
for
@digitalocean/do-markdownit
(npm)
Sep 19, 2025
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
Moderate
CVE-2025-59417
was published
for
@lobehub/chat
(npm)
Sep 18, 2025
InvokeAI has External Control of File Name or Path
Critical
CVE-2025-6237
was published
for
invokeai
(pip)
Sep 18, 2025
@sequa-ai/sequa-mcp has Command Injection vulnerability
Moderate
CVE-2025-10619
was published
for
@sequa-ai/sequa-mcp
(npm)
Sep 17, 2025
ProTip!
Advisories are also available from the
GraphQL API