Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

28 advisories

Loading
phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration High
CVE-2026-35675 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
cyberHunter127 Credited to cyberHunter127
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation High
CVE-2026-45364 was published for better-auth (npm) May 15, 2026
nexryai Credited to nexryai
Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force) High
CVE-2026-41893 was published for signalk-server (npm) May 4, 2026
Wildfly Elytron integration susceptible to brute force attacks via CLI High
CVE-2025-23368 was published for org.wildfly.core:wildfly-elytron-integration (Maven) Feb 13, 2026
Moodle Affected by Improper Restriction of Excessive Authentication Attempts High
CVE-2025-67853 was published for moodle/moodle (Composer) Feb 3, 2026
Zitadel allows brute-forcing authentication factors High
CVE-2025-64102 was published for github.com/zitadel/zitadel (Go) Oct 29, 2025
livio-a Credited to livio-a, IAM-marco, and evilgensec IAM-marco IAM-marco
evilgensec evilgensec
Moodle vulnerable to brute-force password guesses High
CVE-2025-62399 was published for moodle/moodle (Composer) Oct 23, 2025
Soosyze CMS's /user/login endpoint missing rate-limiting and lockout mechanisms High
CVE-2025-52392 was published for soosyze/soosyze (Composer) Aug 13, 2025
Duplicate Advisory: Wildfly Elytron integration susceptible to brute force attacks via CLI High
GHSA-3jxr-23ph-c89g was published for org.wildfly.core:wildfly-elytron-integration (Maven) Mar 4, 2025 withdrawn
Magento does not properly restrict excessive authentication attempts High
CVE-2024-39398 was published for magento/community-edition (Composer) Aug 14, 2024
eZ Platform Admin UI Password reset vulnerability High
GHSA-hfpp-2vhw-qq43 was published for ezsystems/ezplatform-user (Composer) May 15, 2024
eZ Platform Password reset vulnerability High
GHSA-cg84-55jx-4237 was published for ezsystems/ezplatform-admin-ui (Composer) May 15, 2024
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass High
CVE-2024-32868 was published for github.com/zitadel/zitadel (Go) Apr 25, 2024
livio-a Credited to livio-a, Skelmis, itz-d0dgy, amit-laish, muhlemmer, and peintnermax Skelmis Skelmis
itz-d0dgy itz-d0dgy amit-laish amit-laish muhlemmer muhlemmer peintnermax peintnermax
CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability High
CVE-2024-24767 was published for github.com/IceWhaleTech/CasaOS-UserService (Go) Mar 6, 2024
DrDark1999 Credited to DrDark1999
WWBN AVideo Improper Restriction of Excessive Authentication Attempts vulnerability High
CVE-2023-49810 was published for wwbn/avideo (Composer) Jan 10, 2024
generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character High
CVE-2015-20110 was published for generator-jhipster (npm) Oct 31, 2023
Flask-AppBuilder Has No Rate Limiting on Login AUTH DB High
CVE-2023-29005 was published for Flask-AppBuilder (pip) Apr 10, 2023
XWiki Platform packages Expose Sensitive Information to an Unauthorized Actor High
CVE-2023-26476 was published for org.xwiki.platform:xwiki-platform-livetable-ui (Maven) Mar 3, 2023
Improper Restriction of Excessive Authentication Attempts in modoboa High
CVE-2023-0860 was published for modoboa (pip) Feb 16, 2023
No protection against brute-force attacks on login page High
CVE-2023-25156 was published for kiwitcms (pip) Feb 15, 2023
OpenStack Keystone allows information disclosure during account locking High
CVE-2021-38155 was published for keystone (pip) May 24, 2022
OATHAuth extension in MediaWiki is not implementing rate limit High
CVE-2020-25827 was published for mediawiki/core (Composer) May 24, 2022
Pimcore Discloses Usernames In Use High
CVE-2019-18986 was published for pimcore/pimcore (Composer) May 24, 2022
Keycloak Improper Bruteforce Detection High
CVE-2018-14657 was published for org.keycloak:keycloak-parent (Maven) May 13, 2022
SaltStack RSA Key Generation allows remote users to decrypt communications High
CVE-2013-2228 was published for salt (pip) May 5, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database