cve-arsenal

CVE Arsenal Automated CVE exploit scanners and Nuclei templat...

Securing the open source supply chain across GitHub

Over the past year, a new pattern has emerged in attacks on the open source supply chain. Attackers are focusing on exfiltrating secrets like API keys in order to both publish malicious packages from an attacker-controlled machine as well as gain access to more projects in order to propagate the...

A year of open source vulnerability trends: CVEs, advisories, and malware

GitHub published 4,101 reviewed advisories in 2025. This is the fewest number of reviewed advisories since 2021. Does this mean open source is shipping more secure code? Let's dig into the data to find out. GitHub reviewed advisories Fewer advisories reviewed doesn't mean fewer vulnerabilities we...

OCaml Security Advisory Database 安全漏洞

The OCaml Security Advisory Database is a security database developed under the open-source OCaml language. Versions prior to 4.14.3 and 5.x versions before 5.4.1 of the OCaml Security Advisory Database contain security vulnerabilities. These vulnerabilities stem from excessive buffer reading...

GHSA-MRFV-M5WM-5W6W libsodium has Incomplete List of Disallowed Inputs

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to cryptocoreed25519isvalidpoint, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. This advisoory...

OPENSUSE-SU-2025:15652-1 cargo-audit-advisory-db-20251021-1.1 on GA media

These are all security issues fixed in the cargo-audit-advisory-db-20251021-1.1 package on the GA media of openSUSE Tumbleweed...

ruby-advisory-db

This is a database of security advisories for Ruby libraries, maintained by the ruby-advisory-db project. The database contains a list of directories that match the names of Ruby libraries on rubygems.org, with each directory containing one or more advisory files for the library. Each advisory fi...

MAL-2025-46924 Malicious code in advisory_db_toolkit (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 6f9757e1ad29ad430d32886a0fcfa47e48a29e5e4af901f48e305216133028e6 The OpenSSF Package Analysis project identified 'advisorydbtoolkit' @ 99.99.99 rubygems as malicious. It is considered malicious because: - The...

GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them

The GitHub Advisory Database Advisory DB is a vital resource for developers, providing a comprehensive list of known security vulnerabilities and malware affecting open source packages. This post analyzes trends in the Advisory DB, highlighting the growth in reviewed advisories, ecosystem coverag...

OPENSUSE-SU-2024:11953-1 cargo-audit-advisory-db-20220323-1.1 on GA media

These are all security issues fixed in the cargo-audit-advisory-db-20220323-1.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:11708-1 cargo-audit-advisory-db-20220105-1.1 on GA media

These are all security issues fixed in the cargo-audit-advisory-db-20220105-1.1 package on the GA media of openSUSE Tumbleweed...

rusty_paseto vulnerable to private key extraction due to ed25519-dalek dependency

Impact The vulnerability, known as RUSTSEC-2022-0093, impacts the ed25519-dalek crate, which is a dependency of the rusty-paseto crate. This issue arises from a "Double Public Key Signing Function Oracle Attack" affecting versions of ed25519-dalek prior to v2.0. These versions expose an unsafe AP...

CVE-2023-32302

Rejected reason: Authoritative user requested CVE rejection https://github.com/github/advisory-database/pull/2575issuecomment-1745811653...

Python <= 3.12.1 'RecursionError' Vulnerability - Linux

Python is prone to a SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:python:python"; ifdescription...

GHSA-3244-8MFF-W398 Reflected XSS in Gotify's /docs via import of outdated Swagger UI

Impact Gotify exposes an outdated instance of the Swagger UI API documentation frontend at /docs which is susceptible to reflected XSS attacks when loading external Swagger config files. Specifically, the DOMPurify version included with this version of Swagger UI is vulnerable to a rendering XSS...

Reflected XSS in Gotify's /docs via import of outdated Swagger UI

Impact Gotify exposes an outdated instance of the Swagger UI API documentation frontend at /docs which is susceptible to reflected XSS attacks when loading external Swagger config files. Specifically, the DOMPurify version included with this version of Swagger UI is vulnerable to a rendering XSS...

Withdrawn Advisory: Magento 2 Community Edition XSS Vulnerability

Withdrawn Advisory This advisory has been withdrawn because the vulnerability does not affect a package in one of the GitHub Advisory Database's supported ecosystems. This link is maintained to preserve external references. Original Description In Magento prior to 1.9.4.3 and Magento prior to...

Pillow -- Regular Expression Denial of Service (ReDoS)

GitHub Advisory Database reports: Uncontrolled Resource Consumption in pillow. The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service ReDoS via the getrgb function. References: https://nvd.nist.gov/vuln/detail/CVE-2021-23437...

RUSTSEC-2020-0051 Obsolete versions of the `rustsec` crate do not support the new V3 advisory format

If you are seeing this message, you are running an obsolete version of cargo-audit which does not support the new V3 advisory format. These versions are end-of-life. This advisory is a notice that that it will soon be unable to parse the advisory database. Please upgrade cargo-audit to a newer...

Obsolete versions of the `rustsec` crate do not support the new V3 advisory format

If you are seeing this message, you are running an obsolete version of cargo-audit which does not support the new V3 advisory format. These versions are end-of-life. This advisory is a notice that that it will soon be unable to parse the advisory database. Please upgrade cargo-audit to a newer...