51 Pull requests merged by 31 people

• [GHSA-4gg5-vx3j-xwc7] Protobuf Java vulnerable to Uncontrolled Resource Consumption

  #6025 merged Aug 19, 2025

• [GHSA-mrr8-v49w-3333] sweetalert2 v11.6.14 and above contains potentially undesirable behavior

  #6014 merged Aug 14, 2025

• [GHSA-6xp3-p59p-q4fj] go-pg SQL injection vulnerability via the component /types/append_value.go

  #6017 merged Aug 14, 2025

• [GHSA-6628-q6j9-w8vg] gRPC Reachable Assertion issue

  #5999 merged Aug 13, 2025

• [GHSA-9hxf-ppjv-w6rq] gRPC connection termination issue

  #5998 merged Aug 13, 2025

• [GHSA-cfgp-2977-2fmm] Connection confusion in gRPC

  #5997 merged Aug 13, 2025

• Note remediation for GHSA-jg74-mwgw-v6x3

  #5991 merged Aug 12, 2025

• Correctly annotate affected package

  #5990 merged Aug 12, 2025

• [GHSA-4q53-fqhc-cr46] ember-source Cross-site Scripting vulnerability

  #5987 merged Aug 11, 2025

• [GHSA-m8p2-495h-ccmh] The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks

  #5791 merged Aug 11, 2025

• [GHSA-4q53-fqhc-cr46] ember-source Cross-site Scripting vulnerability

  #5986 merged Aug 11, 2025

• [GHSA-h4h6-vccr-44h2] uptrace pgdriver SQL injection vulnerability

  #5985 merged Aug 11, 2025

• [GHSA-xwmg-2g98-w7v9] Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSON

  #5983 merged Aug 11, 2025

• [GHSA-x5rq-j2xg-h7qm] Regular Expression Denial of Service (ReDoS) in lodash

  #5982 merged Aug 11, 2025

• [GHSA-jf85-cpcp-j695] Prototype Pollution in lodash

  #5981 merged Aug 11, 2025

• [GHSA-4xc9-xhrj-v574] Prototype Pollution in lodash

  #5980 merged Aug 11, 2025

• [GHSA-fvqr-27wr-82fm] Prototype Pollution in lodash

  #5979 merged Aug 11, 2025

• [GHSA-p6mc-m468-83gw] Prototype Pollution in lodash

  #5978 merged Aug 11, 2025

• [GHSA-35jh-r3h4-6jhm] Command Injection in lodash

  #5977 merged Aug 11, 2025

• [GHSA-29mw-wpgm-hmr9] Regular Expression Denial of Service (ReDoS) in lodash

  #5976 merged Aug 11, 2025

• [GHSA-h4h6-vccr-44h2] uptrace pgdriver SQL injection vulnerability

  #5975 merged Aug 11, 2025

• [GHSA-94g7-hpv8-h9qm] Remote code injection in Log4j

  #5972 merged Aug 7, 2025

• [GHSA-3rw8-4xrq-3f7p] Uptime Kuma ReDoS vulnerability

  #5969 merged Aug 7, 2025

• Update GHSA-mqcp-p2hv-vw6x.json

  #5912 merged Aug 5, 2025

• [GHSA-9j5q-479x-43g2] A prototype pollution in the function deepMerge of ...

  #5902 merged Aug 5, 2025

• [GHSA-8554-jxcw-454q] Webargs mishandles concurrent JSON parsing

  #5899 merged Aug 4, 2025

• [GHSA-rr8j-7w34-xp5j] Vault Community Edition privilege escalation vulnerability

  #5898 merged Aug 4, 2025

• [GHSA-g233-2p4r-3q7v] Hashicorp Vault vulnerable to denial of service through memory exhaustion

  #5897 merged Aug 4, 2025

• [GHSA-jg74-mwgw-v6x3] Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default

  #5896 merged Aug 4, 2025

• [GHSA-2gh3-rmm4-6rq5] Crash due to uncontrolled recursion in protobuf crate

  #5880 merged Aug 1, 2025

• [GHSA-rxf6-323f-44fc] rust-protobuf crate is vulnerable to Uncontrolled Recursion, potentially leading to DoS

  #5881 merged Aug 1, 2025

• [GHSA-9qm3-6qrr-c76m] A prototype pollution vulnerability exists in @nyariv...

  #5877 merged Jul 31, 2025

• [GHSA-rhrv-645h-fjfh] Apache Avro Java SDK vulnerable to Improper Input Validation

  #5876 merged Jul 31, 2025

• [GHSA-wj6h-64fc-37mp] Minerva timing attack on P-256 in python-ecdsa

  #5864 merged Jul 30, 2025

• [GHSA-xh32-cx6c-cp4v] Gogs XSS allowed by stored call in PDF renderer

  #5871 merged Jul 30, 2025

• [GHSA-jgmv-j7ww-jx2x] Koa Open Redirect via Referrer Header (User-Controlled)

  #5870 merged Jul 30, 2025

• [GHSA-65p9-j6pg-72hj] billboard.js before 3.15.1 was discovered to contain a...

  #5865 merged Jul 29, 2025

• [GHSA-95jq-xph2-cx9h] Improperly Controlled Modification of Object Prototype...

  #5859 merged Jul 29, 2025

• [GHSA-49jm-g4m8-x53p] CodeIgniter4 Cross-Site Scripting Vulnerability in debugbar_time Parameter

  #5862 merged Jul 29, 2025

• [GHSA-6j2q-c73v-97c5] Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies

  #5861 merged Jul 28, 2025

• [GHSA-h47j-hc6x-h3qq] Remote Code Execution Vulnerability in NPM mongo-express

  #5855 merged Jul 28, 2025

• [GHSA-xffm-g5w8-qvg7] @eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

  #5852 merged Jul 28, 2025

• [GHSA-2g7m-ph9x-7q7m] ReDoS in strip_whitespaces() function in cps...

  #5856 merged Jul 28, 2025

• [GHSA-qc4j-v7h6-xr5h] Improper Neutralization of Special Elements used in an OS...

  #5854 merged Jul 25, 2025

• [GHSA-v9mx-4pqq-h232] Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo

  #5850 merged Jul 24, 2025

• [GHSA-4j66-8f4r-3pjx] bun vulnerable to OS Command Injection

  #5851 merged Jul 24, 2025

• [GHSA-rm8p-cx58-hcvx] Axios has Transitive Critical Vulnerability via form-data — Predictable Boundary Values (CVE-2025-7783)

  #5849 merged Jul 24, 2025

• [GHSA-2gxp-6r36-m97r] Corrected severity on advisory

  #5841 merged Jul 23, 2025

• [GHSA-c23v-vqw5-52c5] PowerJob vulnerable to Incorrect Access Control via the create user/save interface.

  #5840 merged Jul 22, 2025

• [GHSA-96c2-h667-9fxp] nova-tiptap has Unauthenticated Arbitrary File Upload Vulnerability

  #5839 merged Jul 22, 2025

• [GHSA-f29h-pxvx-f335] eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7...

  #5838 merged Jul 21, 2025

14 Pull requests opened by 10 people

• [GHSA-7653-r8cq-rf8w] The Nginx Cache Purge Preload plugin for WordPress is...

  #5845 opened Jul 23, 2025

• [GHSA-m5xw-hwxw-fq3j] Deserialization of untrusted data in IPC and Parquet...

  #5988 opened Aug 12, 2025

• [GHSA-6v2p-p543-phr9] golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

  #5995 opened Aug 13, 2025

• [GHSA-859w-5945-r5v3] Vite's server.fs.deny bypassed with /. for files under project root

  #6018 opened Aug 15, 2025

• [GHSA-xh69-987w-hrp8] resolv vulnerable to DoS via insufficient DNS domain name length validation

  #6019 opened Aug 15, 2025

• [GHSA-q355-h244-969h] Komari vulnerable to Cross-site WebSocket Hijacking

  #6021 opened Aug 17, 2025

• [GHSA-w2cq-g8g3-gm83] content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE

  #6026 opened Aug 19, 2025

• [GHSA-6qjf-g333-pv38] Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class

  #6028 opened Aug 19, 2025

• [GHSA-3c93-92r7-j934] Grafana Infinity Datasource Plugin SSRF Vulnerability

  #6029 opened Aug 19, 2025

• [GHSA-8jh9-wqpf-q52c] sweetalert2 v8.19.1 and above contains hidden functionality

  #6030 opened Aug 19, 2025

• [GHSA-457r-cqc8-9vj9] sweetalert2 v10.16.10 and above contains hidden functionality

  #6031 opened Aug 19, 2025

• [GHSA-qq6h-5g6j-q3cm] sweetalert2 v11.4.9 and above contains hidden functionality

  #6032 opened Aug 19, 2025

• [GHSA-r4mg-4433-c7g3] Active Storage allowed transformation methods that were potentially unsafe

  #6033 opened Aug 20, 2025

• [GHSA-76r7-hhxj-r776] Active Record logging vulnerable to ANSI escape injection

  #6034 opened Aug 20, 2025

14 Issues closed by 4 people

• request to review and remove GHSAs

  #5973 closed Aug 8, 2025

• Since "Router firmware" or "Embedded device" ecosystem is not present!!

  #5886 closed Aug 7, 2025

• There is no option labeled "PHP" in the ecosystem dropdown.

  #5885 closed Aug 7, 2025

• Advisory GHSA-3rw8-4xrq-3f7p / CVE-2025-26042 missing fixed version

  #5970 closed Aug 7, 2025

• > https://minepi.com/blog/pi-lockup/

  #5905 closed Aug 5, 2025

• GHSA-w596-4wvx-j9j6 should be withdrawn

  #5878 closed Aug 1, 2025

• Lost assets

  #5874 closed Jul 31, 2025

• request to review and remove GHSA-hhqp-hr66-2g9r

  #5857 closed Jul 29, 2025

• Advisory GHSA-jwvw-v7c5-m82h - Clarification required on ecosystems impacted

  #5796 closed Jul 24, 2025

• Review requested for GHSA-fh4q-jc76-r59p: Potential false positive for the stylus npm package

  #5846 closed Jul 23, 2025

• Metadata Correction Request for GHSA-3wqh-h42r-x8fq (@hapi/subtext)

  #5815 closed Jul 22, 2025

• Add support for Linux packages

  #5836 closed Jul 21, 2025

• Go: Supported ecosystem

  #5762 closed Jul 21, 2025

• Correction Request: Add ammo package to affected list in GHSA-gjph-xf5q-6mfq

  #5820 closed Jul 21, 2025

8 Issues opened by 7 people

• Facebook J. R.

  #6035 opened Aug 20, 2025

• Seeking clarification on Advisory GHSA-h4h5-3hr4-j3g2 - Potential denial of service for protobuf-java

  #6023 opened Aug 18, 2025

• Isues_01

  #6022 opened Aug 17, 2025

• Advisory GHSA-hcg3-q754-cr77 has incorrect package listed

  #5996 opened Aug 13, 2025

• Support Haskell ecosystem advisories

  #5858 opened Jul 27, 2025

• Advisory GHSA-xffm-g5w8-qvg7 has incorrect fix version

  #5853 opened Jul 25, 2025

• Advisory GHSA-4pg4-qvpc-4q3h lists incorrect fixed version

  #5848 opened Jul 23, 2025

• Advisory GHSA-f4w8-cv6p-x6r5 lists incorrect fixed version

  #5847 opened Jul 23, 2025

6 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• False Positive: CWE-506 Flag on Project Packages

  #5478 commented on Jul 23, 2025 • 0 new comments

• A question about review priority

  #4832 commented on Aug 3, 2025 • 0 new comments

• Add support for purl

  #10 commented on Aug 12, 2025 • 0 new comments

• [GHSA-9pp5-9c7g-4r83] Spring Security authorization bypass for method security annotations on private methods

  #5747 commented on Jul 28, 2025 • 0 new comments

• [GHSA-34rf-485x-g5h7] Arbitrary Command Injection in Kubernetes Headlamp via macOS Process codeSign

  #5802 commented on Aug 11, 2025 • 0 new comments

• [GHSA-fr5w-98mc-jjvg] Arbitrary file upload in Mingsoft MCMS

  #5834 commented on Aug 7, 2025 • 0 new comments