Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

31 advisories

Loading
Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin... Critical Unreviewed
CVE-2025-12107 was published Feb 19, 2026
XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability Critical
CVE-2025-64087 was published for fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker (Maven) Jan 20, 2026
kevinleturc
Credited to kevinleturc
GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway... Critical Unreviewed
CVE-2026-1868 was published Feb 9, 2026
JinJava Bypass through ForTag leads to Arbitrary Java Execution Critical
CVE-2026-25526 was published for com.hubspot.jinjava:jinjava (Maven) Feb 3, 2026
twilliamson-an akues-an
jasmith-hs
Credited to twilliamson-an, akues-an, and jasmith-hs
A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89... Critical Unreviewed
CVE-2025-66438 was published Dec 15, 2025
An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text... Critical Unreviewed
CVE-2025-66434 was published Dec 15, 2025
A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows... Critical Unreviewed
CVE-2025-65602 was published Dec 10, 2025
Netaxis API Orchestrator (APIO) before 0.19.3 allows server side template injection (SSTI). Critical Unreviewed
CVE-2022-23851 was published Dec 17, 2025
An input neutralization vulnerability in the Webhook Template component of Crafty Controller... Critical Unreviewed
CVE-2025-14700 was published Dec 17, 2025
wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3... Critical Unreviewed
CVE-2025-32461 was published Apr 9, 2025
zhangyd-c OneBlog before 2.3.9 was vulnerable to SSTI (Server-Side Template Injection) via... Critical Unreviewed
CVE-2025-60355 was published Oct 28, 2025
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection... Critical Unreviewed
CVE-2024-23692 was published May 31, 2024
Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise... Critical Unreviewed
CVE-2025-37729 was published Oct 13, 2025
jinjava has Sandbox Bypass via JavaType-Based Deserialization Critical
CVE-2025-59340 was published for com.hubspot.jinjava:jinjava (Maven) Sep 17, 2025
taisehub odgrso
jasmith-hs
Credited to taisehub, odgrso, and jasmith-hs
changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution Critical
CVE-2024-32651 was published for changedetection.io (pip) Oct 15, 2024
edoardottt dgtlmoon
Credited to edoardottt and dgtlmoon
LaRecipe is vulnerable to Server-Side Template Injection attacks Critical
CVE-2025-53833 was published for binarytorch/larecipe (Composer) Jul 14, 2025
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings... Critical Unreviewed
CVE-2025-47916 was published May 16, 2025
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user Critical
CVE-2025-49136 was published for github.com/knadh/listmonk (Go) Jun 9, 2025
nakkouchtarek
Credited to nakkouchtarek
IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because... Critical Unreviewed
CVE-2025-46661 was published Apr 28, 2025
Code injection in RazorEngine Critical
CVE-2021-46703 was published for RazorEngine (NuGet) Mar 7, 2022
skofman1 malmor
Credited to skofman1 and malmor
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Podlove... Critical Unreviewed
CVE-2024-52393 was published Nov 14, 2024
: Improper Neutralization of Special Elements Used in a Template Engine vulnerability in... Critical Unreviewed
CVE-2024-49271 was published Oct 16, 2024
The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and... Critical Unreviewed
CVE-2024-12583 was published Jan 4, 2025
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Supsystic... Critical Unreviewed
CVE-2024-52434 was published Nov 18, 2024
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Saso... Critical Unreviewed
CVE-2024-52427 was published Nov 18, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database