74 Pull requests merged by 33 people

• [GHSA-v6x6-4v4x-2fx9] Lunary Cross-Site Request Forgery (CSRF) vulnerability

  #5741 merged Jun 20, 2025

• [GHSA-6p2q-8qfq-wq7x] Lunary improper access control vulnerability

  #5740 merged Jun 20, 2025

• [GHSA-9jmp-j63g-8x6m] Lunary information disclosure vulnerability

  #5739 merged Jun 20, 2025

• [GHSA-rpx8-fg6w-rm6x] lunary-ai/lunary XSS in SAML metadata endpoint

  #5738 merged Jun 20, 2025

• [GHSA-5m48-vr54-vmh3] jersey: XXE via parameter entities not disabled by the...

  #5735 merged Jun 19, 2025

• [GHSA-qvhf-3567-pc4v] Sandbox bypass vulnerability in Script Security Plugin

  #5732 merged Jun 19, 2025

• [GHSA-2hcm-q3f4-fjgw] Arbitrary file write as the OSV-SCALIBR user on the host...

  #5729 merged Jun 18, 2025

• [GHSA-wgc6-9f6w-h8hx] microlight allows a denial of service

  #5730 merged Jun 18, 2025

• [GHSA-887c-mr87-cxwp] PyTorch Improper Resource Shutdown or Release vulnerability

  #5728 merged Jun 17, 2025

• Improve GHSA-274v-mgcv-cm8j

  #5723 merged Jun 17, 2025

• [GHSA-274v-mgcv-cm8j] Argo CD GitOps Engine does not scrub secret values from patch errors

  #5689 merged Jun 17, 2025

• [GHSA-qvjc-g5vr-mfgr] Regular Expression Denial of Service in papaparse

  #5719 merged Jun 16, 2025

• [GHSA-h4j7-5rxr-p4wc] Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability

  #5718 merged Jun 16, 2025

• [GHSA-2865-hh9g-w894] Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability

  #5722 merged Jun 13, 2025

• [GHSA-rf6q-vx79-mjxr] Undertow Uncontrolled Resource Consumption

  #5715 merged Jun 12, 2025

• [GHSA-v6h2-p8h4-qcjw] brace-expansion Regular Expression Denial of Service vulnerability

  #5716 merged Jun 11, 2025

• [GHSA-pfq8-rq6v-vf5m] kangax html-minifier REDoS vulnerability

  #5695 merged Jun 11, 2025

• [GHSA-cvx7-x8pj-x2gw] CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification

  #5696 merged Jun 9, 2025

• [GHSA-g92j-qhmh-64v2] Sentry's Python SDK unintentionally exposes environment variables to subprocesses

  #5694 merged Jun 6, 2025

• [GHSA-8j8w-wwqc-x596] Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11...

  #5691 merged Jun 6, 2025

• [GHSA-v3c8-3pr6-gr7p] Multiple vector store integrations in run-llama...

  #5690 merged Jun 6, 2025

• [GHSA-g3p6-82vc-43jh] Yii 2 Redis may expose AUTH paramters in logs in case of connection failure

  #5693 merged Jun 6, 2025

• [GHSA-wrxf-x8rm-6ggg] Fluent Fluentd and Fluent-ui use default password

  #5686 merged Jun 5, 2025

• [GHSA-jr6h-r7vg-f9mc] org.ini4j allows attackers to cause a Denial of Service (DoS)

  #5687 merged Jun 4, 2025

• [GHSA-rhx6-c78j-4q9w] Unpatched path-to-regexp ReDoS in 0.1.x

  #5685 merged Jun 3, 2025

• [GHSA-rhx6-c78j-4q9w] Unpatched path-to-regexp ReDoS in 0.1.x

  #5603 merged Jun 3, 2025

• [GHSA-4wp7-92pw-q264] CVE-2024-38820 ensured Locale-independent, lowercase...

  #5683 merged Jun 2, 2025

• [GHSA-56pw-mpj4-fxww] Bundled libwebp in Pillow vulnerable

  #5666 merged May 30, 2025

• [GHSA-xh6m-7cr7-xx66] Missing permission checks on Hazelcast client protocol

  #5682 merged May 30, 2025

• [GHSA-4gc7-5j7h-4qph] Spring Framework DataBinder Case Sensitive Match Exception

  #5680 merged May 29, 2025

• [GHSA-7chv-rrw6-w6fc] XStream is vulnerable to a Remote Command Execution attack

  #5679 merged May 29, 2025

• [GHSA-xhfx-hgmf-v6vp] Potential Host Header Poisoning on misconfigured servers

  #5678 merged May 29, 2025

• [GHSA-j4f2-536g-r55m] Resource exhaustion in engine.io

  #5676 merged May 29, 2025

• [GHSA-c52f-pq47-2r9j] plugin.yaml file allows for duplicate entries in helm

  #5674 merged May 29, 2025

• [GHSA-qhrx-hcm6-pmrw] Unsafe deserialization in SmtpTransport in CakePHP

  #5673 merged May 29, 2025

• [GHSA-pgwj-prpq-jpc2] Symfony Service IDs Allow Injection

  #5672 merged May 29, 2025

• [GHSA-jp4x-w63m-7wgm] Prototype Pollution in hoek

  #5671 merged May 29, 2025

• [GHSA-w578-j992-554x] Ansible fails to properly mark lookup-plugin results as unsafe

  #5670 merged May 29, 2025

• [GHSA-jc7r-v6fg-2gpf] Apache CXF TLS hostname verification does not work correctly with com.sun.net.ssl.*

  #5669 merged May 29, 2025

• [GHSA-m5qc-5hw7-8vg7] image-size Denial of Service via Infinite Loop during Image Processing

  #5665 merged May 28, 2025

• [GHSA-g88v-2j67-9rmx] Fess has Insecure Temporary File Permissions

  #5663 merged May 28, 2025

• [GHSA-g5vr-rgqm-vf78] Spring Framework Path Traversal vulnerability

  #5662 merged May 28, 2025

• [GHSA-qpxx-2cwh-r5vh] A vulnerability was found in erdogant pypickle up to 1.1...

  #5660 merged May 27, 2025

• [GHSA-75v8-2h7p-7m2m] Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content

  #5661 merged May 27, 2025

• [GHSA-4gc7-5j7h-4qph] Spring Framework DataBinder Case Sensitive Match Exception

  #5659 merged May 27, 2025

• Update GHSA-h958-fxgg-g7w3.json

  #5658 merged May 27, 2025

• [GHSA-6jwp-4wvj-6597] Apache Pinot Vulnerable to Authentication Bypass

  #5657 merged May 27, 2025

• [GHSA-5qmp-9x47-92q8] Rancher's SAML-based login via CLI can be denied by unauthenticated users

  #5656 merged May 27, 2025

• Update GHSA-xr9q-h9c7-xw8q.json

  #5655 merged May 27, 2025

• [GHSA-mq23-vvg7-xfm4] Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login

  #5654 merged May 27, 2025

• [GHSA-pw39-f3m5-cxfc] Elasticsearch Uncaught Exception leading to crash

  #5653 merged May 27, 2025

• [GHSA-ghfh-p92w-j4mg] Elasticsearch Potential Node Crash due to Large Recursion in innerForbidCircularReferences Function

  #5652 merged May 27, 2025

• [GHSA-5xm9-x7x4-4j5x] Elasticsearch Vulnerable to Stack Overflow due to a Large Recursion

  #5651 merged May 27, 2025

• [GHSA-x27v-f838-jh93] io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API

  #5650 merged May 27, 2025

• [GHSA-jx4g-3xqm-62vh] io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage

  #5649 merged May 27, 2025

• [GHSA-f3gv-cwwh-758m] io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage

  #5648 merged May 27, 2025

• [GHSA-gp98-hfvm-2r4x] Apache IoTDB JDBC Driver Discloses Sensitive Information via Log Files

  #5635 merged May 27, 2025

• [GHSA-hvf8-h2qh-37m9] IPC messages delivered to the wrong frame in Electron

  #5634 merged May 27, 2025

• [GHSA-xh29-r2w5-wx8m] Nokogiri Improperly Handles Unexpected Data Type

  #5631 merged May 27, 2025

• [GHSA-h4j7-5rxr-p4wc] Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability

  #5640 merged May 23, 2025

• [GHSA-9rmm-8fp4-26hv] phpMyAdmin Denial Of Service (DOS) attack

  #5629 merged May 23, 2025

• [GHSA-mmvj-j7hq-rx85] Moodle sensitive information disclosure

  #5628 merged May 23, 2025

• [GHSA-v2rh-5v88-rgvh] Moodle context freezing

  #5627 merged May 23, 2025

• [GHSA-c85r-fwc7-45vc] Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'

  #5626 merged May 23, 2025

• [GHSA-8h6m-wv39-239m] Rancher users who can create Projects can gain access to arbitrary projects

  #5620 merged May 23, 2025

• [GHSA-ppj3-7jw3-8vc4] Data races in lock_api

  #5604 merged May 23, 2025

• [GHSA-2v42-xp3j-47m4] Xuxueli xxl-job template injection vulnerability

  #5600 merged May 23, 2025

• [GHSA-whc7-5p35-4ww2] Use after free in actix-service

  #5599 merged May 23, 2025

• [GHSA-rqgx-hpg4-456r] Use-after-free in actix-codec

  #5598 merged May 23, 2025

• [GHSA-hhw2-pqhf-vmx2] Use after free in actix-utils

  #5597 merged May 23, 2025

• [GHSA-7cx3-6m66-7c5m] Tornado vulnerable to excessive logging caused by malformed multipart form data

  #5621 merged May 23, 2025

• [GHSA-2865-hh9g-w894] Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability

  #5593 merged May 22, 2025

• [GHSA-g98g-r7gf-2r25] Forgeable Encrypted Session Cookie in Apps Using Auth0-PHP SDK

  #5594 merged May 22, 2025

• [GHSA-cpfp-m5qw-c4r3] Improper Preservation of Permissions in xxl-job

  #5601 merged May 22, 2025

5 Pull requests opened by 5 people

• [GHSA-6vhp-hp77-6w52] Trac HTML WikiProcessor cross-site scripting (XSS) vulnerability

  #5636 opened May 23, 2025

• [GHSA-wrxf-x8rm-6ggg] Fluent Fluentd and Fluent-ui use default password

  #5692 opened Jun 6, 2025

• [GHSA-9v35-4xcr-w9ph] NetBird uses a static initialization vector (IV)

  #5714 opened Jun 11, 2025

• [GHSA-4h8f-2wvx-gg5w] Bouncy Castle Java Cryptography API vulnerable to DNS poisoning

  #5717 opened Jun 12, 2025

• [GHSA-v6h2-p8h4-qcjw] brace-expansion Regular Expression Denial of Service vulnerability

  #5742 opened Jun 21, 2025

7 Issues closed by 3 people

• false-positive on multiple packages

  #5736 closed Jun 19, 2025

• Advisory GHSA-g434-3q2j-hj4r lists incorrect fixed version

  #5688 closed Jun 17, 2025

• Correction Required in GHSA-2pcj-76hj-xqhm Advisory

  #5684 closed Jun 9, 2025

• GHSA-h97m-ww89-6jmq - missing CVE

  #5668 closed May 29, 2025

• GHSA-h97m-ww89-6jmq - CVE missing

  #5667 closed May 29, 2025

• WalletConnect: The onchain UX ecosystem — WalletConnect

  #5664 closed May 28, 2025

• Pypi patch/affected version fixes and remove patched version from GHSA-22fp-mf44-f2mq

  #5639 closed May 27, 2025

3 Issues opened by 3 people

• Newton Protocol: Verifiable Automation Layer for Onchain Finance

  #5743 opened Jun 21, 2025

• question: how handle `affected[].ranges[].events` + `affectedversions-field`

  #5734 opened Jun 19, 2025

• Include Mend.io database

  #5727 opened Jun 16, 2025

2 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• List Perl as an environment

  #3536 commented on May 29, 2025 • 0 new comments

• [GHSA-jrwv-mv4h-7rrq] A vulnerability was found in OpenSSH when the...

  #5308 commented on Jun 17, 2025 • 0 new comments