Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

109 advisories

Loading
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin... Critical Unreviewed
CVE-2025-12107 was published Feb 19, 2026
GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway... Critical Unreviewed
CVE-2026-1868 was published Feb 9, 2026
JinJava Bypass through ForTag leads to Arbitrary Java Execution Critical
CVE-2026-25526 was published for com.hubspot.jinjava:jinjava (Maven) Feb 3, 2026
twilliamson-an akues-an
jasmith-hs
Credited to twilliamson-an, akues-an, and jasmith-hs
A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/... High Unreviewed
CVE-2025-69516 was published Jan 29, 2026
Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of... Moderate Unreviewed
CVE-2025-46699 was published Jan 23, 2026
XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability Critical
CVE-2025-64087 was published for fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker (Maven) Jan 20, 2026
kevinleturc
Credited to kevinleturc
Kimai has an Authenticated Server-Side Template Injection (SSTI) Moderate
CVE-2026-23626 was published for kimai/kimai (Composer) Jan 20, 2026
HUSEYNKHANLI
Credited to HUSEYNKHANLI
OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE High
CVE-2026-22244 was published for org.open-metadata:platform (Maven) Jan 7, 2026
lnlinh31 manerow
TeddyCr pmbrull
Credited to lnlinh31, manerow, TeddyCr, and pmbrull
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI Moderate
CVE-2025-68454 was published for craftcms/cms (Composer) Jan 5, 2026
RajChowdhury240 rlarabee
Credited to RajChowdhury240 and rlarabee
Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users High
CVE-2026-21449 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto has Normal & Blind SSTI from low-privilege user when ordering product High
CVE-2026-21448 was published for bagisto/bagisto (Composer) Jan 2, 2026
Bagisto SSTI vulnerability in type parameter can lead to RCE High
CVE-2026-21450 was published for bagisto/bagisto (Composer) Jan 2, 2026
A Server-Side Template Injection (SSTI) vulnerability in the MDX Rendering Engine in Mintlify... High Unreviewed
CVE-2025-67843 was published Dec 19, 2025
Netaxis API Orchestrator (APIO) before 0.19.3 allows server side template injection (SSTI). Critical Unreviewed
CVE-2022-23851 was published Dec 17, 2025
An input neutralization vulnerability in the Webhook Template component of Crafty Controller... Critical Unreviewed
CVE-2025-14700 was published Dec 17, 2025
An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions... Moderate Unreviewed
CVE-2025-66436 was published Dec 15, 2025
An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text... Critical Unreviewed
CVE-2025-66434 was published Dec 15, 2025
An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method... Moderate Unreviewed
CVE-2025-66435 was published Dec 15, 2025
An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method... High Unreviewed
CVE-2025-66437 was published Dec 15, 2025
A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89... Critical Unreviewed
CVE-2025-66438 was published Dec 15, 2025
FoF Pretty Mail has a server-side template injection vulnerability High
CVE-2024-58303 was published for fof/pretty-mail (Composer) Dec 12, 2025
Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated... High Unreviewed
CVE-2024-58293 was published Dec 12, 2025
A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows... Critical Unreviewed
CVE-2025-65602 was published Dec 10, 2025
Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms High
CVE-2025-66298 was published for getgrav/grav (Composer) Dec 2, 2025
yiannakasgeorge
Credited to yiannakasgeorge
Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass High
CVE-2025-66294 was published for getgrav/grav (Composer) Dec 2, 2025
nakkouchtarek
Credited to nakkouchtarek
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database