95 Pull requests merged by 32 people

• [GHSA-56pw-mpj4-fxww] Bundled libwebp in Pillow vulnerable

  #5666 merged May 30, 2025

• [GHSA-xh6m-7cr7-xx66] Missing permission checks on Hazelcast client protocol

  #5682 merged May 30, 2025

• [GHSA-4gc7-5j7h-4qph] Spring Framework DataBinder Case Sensitive Match Exception

  #5680 merged May 29, 2025

• [GHSA-7chv-rrw6-w6fc] XStream is vulnerable to a Remote Command Execution attack

  #5679 merged May 29, 2025

• [GHSA-xhfx-hgmf-v6vp] Potential Host Header Poisoning on misconfigured servers

  #5678 merged May 29, 2025

• [GHSA-j4f2-536g-r55m] Resource exhaustion in engine.io

  #5676 merged May 29, 2025

• [GHSA-c52f-pq47-2r9j] plugin.yaml file allows for duplicate entries in helm

  #5674 merged May 29, 2025

• [GHSA-qhrx-hcm6-pmrw] Unsafe deserialization in SmtpTransport in CakePHP

  #5673 merged May 29, 2025

• [GHSA-pgwj-prpq-jpc2] Symfony Service IDs Allow Injection

  #5672 merged May 29, 2025

• [GHSA-jp4x-w63m-7wgm] Prototype Pollution in hoek

  #5671 merged May 29, 2025

• [GHSA-w578-j992-554x] Ansible fails to properly mark lookup-plugin results as unsafe

  #5670 merged May 29, 2025

• [GHSA-jc7r-v6fg-2gpf] Apache CXF TLS hostname verification does not work correctly with com.sun.net.ssl.*

  #5669 merged May 29, 2025

• [GHSA-m5qc-5hw7-8vg7] image-size Denial of Service via Infinite Loop during Image Processing

  #5665 merged May 28, 2025

• [GHSA-g88v-2j67-9rmx] Fess has Insecure Temporary File Permissions

  #5663 merged May 28, 2025

• [GHSA-g5vr-rgqm-vf78] Spring Framework Path Traversal vulnerability

  #5662 merged May 28, 2025

• [GHSA-qpxx-2cwh-r5vh] A vulnerability was found in erdogant pypickle up to 1.1...

  #5660 merged May 27, 2025

• [GHSA-75v8-2h7p-7m2m] Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content

  #5661 merged May 27, 2025

• [GHSA-4gc7-5j7h-4qph] Spring Framework DataBinder Case Sensitive Match Exception

  #5659 merged May 27, 2025

• Update GHSA-h958-fxgg-g7w3.json

  #5658 merged May 27, 2025

• [GHSA-6jwp-4wvj-6597] Apache Pinot Vulnerable to Authentication Bypass

  #5657 merged May 27, 2025

• [GHSA-5qmp-9x47-92q8] Rancher's SAML-based login via CLI can be denied by unauthenticated users

  #5656 merged May 27, 2025

• Update GHSA-xr9q-h9c7-xw8q.json

  #5655 merged May 27, 2025

• [GHSA-mq23-vvg7-xfm4] Rancher does not Properly Validate Account Bindings in SAML Authentication Enables User Impersonation on First Login

  #5654 merged May 27, 2025

• [GHSA-pw39-f3m5-cxfc] Elasticsearch Uncaught Exception leading to crash

  #5653 merged May 27, 2025

• [GHSA-ghfh-p92w-j4mg] Elasticsearch Potential Node Crash due to Large Recursion in innerForbidCircularReferences Function

  #5652 merged May 27, 2025

• [GHSA-5xm9-x7x4-4j5x] Elasticsearch Vulnerable to Stack Overflow due to a Large Recursion

  #5651 merged May 27, 2025

• [GHSA-x27v-f838-jh93] io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API

  #5650 merged May 27, 2025

• [GHSA-jx4g-3xqm-62vh] io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage

  #5649 merged May 27, 2025

• [GHSA-f3gv-cwwh-758m] io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage

  #5648 merged May 27, 2025

• [GHSA-gp98-hfvm-2r4x] Apache IoTDB JDBC Driver Discloses Sensitive Information via Log Files

  #5635 merged May 27, 2025

• [GHSA-hvf8-h2qh-37m9] IPC messages delivered to the wrong frame in Electron

  #5634 merged May 27, 2025

• [GHSA-xh29-r2w5-wx8m] Nokogiri Improperly Handles Unexpected Data Type

  #5631 merged May 27, 2025

• [GHSA-h4j7-5rxr-p4wc] Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability

  #5640 merged May 23, 2025

• [GHSA-9rmm-8fp4-26hv] phpMyAdmin Denial Of Service (DOS) attack

  #5629 merged May 23, 2025

• [GHSA-mmvj-j7hq-rx85] Moodle sensitive information disclosure

  #5628 merged May 23, 2025

• [GHSA-v2rh-5v88-rgvh] Moodle context freezing

  #5627 merged May 23, 2025

• [GHSA-c85r-fwc7-45vc] Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core'

  #5626 merged May 23, 2025

• [GHSA-8h6m-wv39-239m] Rancher users who can create Projects can gain access to arbitrary projects

  #5620 merged May 23, 2025

• [GHSA-ppj3-7jw3-8vc4] Data races in lock_api

  #5604 merged May 23, 2025

• [GHSA-2v42-xp3j-47m4] Xuxueli xxl-job template injection vulnerability

  #5600 merged May 23, 2025

• [GHSA-whc7-5p35-4ww2] Use after free in actix-service

  #5599 merged May 23, 2025

• [GHSA-rqgx-hpg4-456r] Use-after-free in actix-codec

  #5598 merged May 23, 2025

• [GHSA-hhw2-pqhf-vmx2] Use after free in actix-utils

  #5597 merged May 23, 2025

• [GHSA-7cx3-6m66-7c5m] Tornado vulnerable to excessive logging caused by malformed multipart form data

  #5621 merged May 23, 2025

• [GHSA-2865-hh9g-w894] Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability

  #5593 merged May 22, 2025

• [GHSA-g98g-r7gf-2r25] Forgeable Encrypted Session Cookie in Apps Using Auth0-PHP SDK

  #5594 merged May 22, 2025

• [GHSA-cpfp-m5qw-c4r3] Improper Preservation of Permissions in xxl-job

  #5601 merged May 22, 2025

• Update GHSA-x88g-h956-m5xg.json with two new patches

  #5572 merged May 20, 2025

• Update GHSA-cjfr-9f5r-3q93.json

  #5571 merged May 20, 2025

• Update GHSA-5chr-fjjv-38qv.json with two new patches

  #5570 merged May 20, 2025

• Update GHSA-qcgg-j2x8-h9g8.json with 3 new patch commits

  #5569 merged May 20, 2025

• [GHSA-pq67-2wwv-3xjx] tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File

  #5563 merged May 20, 2025

• Update GHSA-6w4x-gcx3-8p7v.json for adding a new patch

  #5568 merged May 20, 2025

• [GHSA-fxpc-qmrh-7j2h] The tarteaucitron-wp WordPress plugin before 0.3.0 allows...

  #5561 merged May 20, 2025

• Update GHSA-mcrp-whpw-jp68.json for a new patch link

  #5566 merged May 20, 2025

• [GHSA-7rxf-gvfg-47g4] Flask-CORS improper regex path matching vulnerability

  #5550 merged May 17, 2025

• [GHSA-43qf-4rqw-9q2g] Flask-CORS vulnerable to Improper Handling of Case Sensitivity

  #5549 merged May 17, 2025

• [GHSA-8vgw-p6qm-5gr7] Flask-CORS allows for inconsistent CORS matching

  #5548 merged May 17, 2025

• [GHSA-2qm5-r82g-5hcx] ThinkAdmin directory traversal vulnerability

  #5536 merged May 15, 2025

• [GHSA-r99q-hmqv-xw8w] Moodle Authenticated LFI risk in some misconfig…

  #5537 merged May 15, 2025

• [GHSA-8qwh-4vwv-7c5m] Moodle Cross-site Scripting (XSS)

  #5538 merged May 15, 2025

• [GHSA-68x5-4jg5-gjgg] Moodle CSRF risk in analytics management of models

  #5539 merged May 15, 2025

• [GHSA-xqhh-253w-4q5f] Moodle Cross-site Scripting (XSS)

  #5540 merged May 15, 2025

• [GHSA-gq9f-8rj4-w7jc] Moodle CSRF risk in admin preset tool management of presets

  #5541 merged May 15, 2025

• [GHSA-vvh5-7v3m-j3mj] Moodle Unsanitized HTML in site log for config_log_created

  #5542 merged May 15, 2025

• Update GHSA-9qgq-93c7-9hm4.json

  #5535 merged May 15, 2025

• [GHSA-4vp2-mj4m-69m4] ThinkAdmin insecure unserialize vulnerability

  #5534 merged May 15, 2025

• [GHSA-v47f-vp3p-5j6h] Cross-site scripting in ThinkAdmin

  #5533 merged May 15, 2025

• [GHSA-42mr-jpwh-m9rv] Linkerd resource exhaustion vulnerability

  #5527 merged May 15, 2025

• [GHSA-wq9g-9vfc-cfq9] Improper Handling of Highly Compressed Data (Data Amplification) in github.com/getkin/kin-openapi/openapi3filter

  #5546 merged May 15, 2025

• [GHSA-ff77-26x5-69cr] Apache Tomcat Rewrite rule bypass

  #5531 merged May 14, 2025

• [GHSA-ff77-26x5-69cr] Apache Tomcat Rewrite rule bypass

  #5530 merged May 14, 2025

• [GHSA-3p2h-wqq4-wf4h] Apache Tomcat Denial of Service via invalid HTTP priority header

  #5529 merged May 14, 2025

• [GHSA-hw58-3793-42gg] Keycloak hostname verification

  #5495 merged May 13, 2025

• fix: pax-logging-log4j2 ranges affected by CVE-2021-44832

  #5523 merged May 9, 2025

• fix: pax-logging-log4j2 ranges affected by CVE-2021-45105

  #5522 merged May 9, 2025

• fix: pax-logging-log4j2 ranges affected by CVE-2021-45046

  #5521 merged May 9, 2025

• fix: pax-logging-log4j2 ranges affected by CVE-2021-44228

  #5520 merged May 9, 2025

• Update GHSA-9q29-jcjw-fw7h.json

  #5514 merged May 8, 2025

• Update GHSA-vm9c-39jx-q45w.json

  #5515 merged May 8, 2025

• Update GHSA-rg56-94j7-hjx9.json

  #5516 merged May 8, 2025

• Update GHSA-pj96-xh2w-fgqx.json

  #5518 merged May 8, 2025

• Update GHSA-hxgg-4qww-85ph.json

  #5517 merged May 8, 2025

• [GHSA-9w9f-6mg8-jp7w] Missing Role Based Access Control for the REST handlers in bleve/http package

  #5511 merged May 8, 2025

• Add affected pax-logging-log4j2 to CVE-2021-44832

  #5504 merged May 7, 2025

• Add affected pax-logging-log4j2 to CVE-2021-45105

  #5503 merged May 7, 2025

• [GHSA-jfh8-c2jp-5v3q] Remote code injection in Log4j

  #5501 merged May 7, 2025

• Add pax-logging-log4j2 to CVE-2021-45046

  #5502 merged May 7, 2025

• [GHSA-8gqj-226h-gm8r] Passport-wsfed-saml2 allows SAML Authentication Bypass via Attribute Smuggling

  #5509 merged May 7, 2025

• [GHSA-rhh4-rh7c-7r5v] Archiver Path Traversal vulnerability

  #5506 merged May 7, 2025

• [GHSA-pfrc-5hhq-6hvr] Showdoc Unauthenticated Access

  #5505 merged May 6, 2025

• [GHSA-9rw2-jf8x-cgwm] Flair allows arbitrary code execution

  #5498 merged May 2, 2025

• [GHSA-fjfg-q662-gm6j] Moderate severity vulnerability that affects rails

  #5497 merged May 1, 2025

• [GHSA-75v8-2h7p-7m2m] Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content

  #5493 merged Apr 30, 2025

• [GHSA-j3g3-5qv5-52mj] net-imap rubygem vulnerable to possible DoS by memory exhaustion

  #5494 merged Apr 30, 2025

3 Pull requests opened by 3 people

• [GHSA-c678-jfcj-6jmf] A vulnerability was found in PyTorch 2.6.0+cu124. It has...

  #5512 opened May 8, 2025

• [GHSA-rhx6-c78j-4q9w] Unpatched `path-to-regexp` ReDoS in 0.1.x

  #5603 opened May 21, 2025

• [GHSA-6vhp-hp77-6w52] Trac HTML WikiProcessor cross-site scripting (XSS) vulnerability

  #5636 opened May 23, 2025

5 Issues closed by 3 people

• GHSA-h97m-ww89-6jmq - missing CVE

  #5668 closed May 29, 2025

• GHSA-h97m-ww89-6jmq - CVE missing

  #5667 closed May 29, 2025

• WalletConnect: The onchain UX ecosystem — WalletConnect

  #5664 closed May 28, 2025

• Pypi patch/affected version fixes and remove patched version from GHSA-22fp-mf44-f2mq

  #5639 closed May 27, 2025

• [nitpick] Ensure that the modified timestamp update is intentional and aligns with the overall metadata consistency for the advisory.

  #5544 closed May 15, 2025

2 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• List Perl as an environment

  #3536 commented on May 29, 2025 • 0 new comments

• [GHSA-fc9h-whq2-v747] Valid ECDSA signatures erroneously rejected in Elliptic

  #5442 commented on May 8, 2025 • 0 new comments