GitHub CVE statistics
Below you'll find the most talked-about vulnerabilities on GitHub for the selected time window. We scan every incoming repository name and description, extract CVE identifiers, and rank them by how often developers reference them. The fresher the CVE and the higher its rank, the more likely it is that proof-of-concept code, exploit scripts or mitigation tips are circulating right now.
How to act on this data
- If a CVE in the Top 10 affects your stack, prioritise patching and monitor for exploitation attempts.
- Click a CVE ID to open its NVD page for full details, CVSS scores and known mitigations.
- Switch the timeframe to spot emerging threats or long-term trends.
Rank | CVE | Title | Metrics | Repo count | Last seen |
---|---|---|---|---|---|
1 | CVE-2025-44228 Hot | n/a | n/a | 4 | 2025-05-03 09:14 UTC |
2 | CVE-2025-45250 Hot | n/a | n/a | 4 | 2025-05-07 17:01 UTC |
3 | CVE-2025-34028 Hot | Commvault Command Center Innovation Release Unathenticated Path Traversal |
v3.1
CRITICAL
Score: 10
|
4 | 2025-05-06 19:57 UTC |
4 | CVE-2025-29927 | Authorization Bypass in Next.js Middleware |
v3.1
CRITICAL
Score: 9.1
|
3 | 2025-05-08 09:07 UTC |
5 | CVE-2024-38475 | Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. | n/a | 3 | 2025-05-09 08:55 UTC |
6 | CVE-2025-31324 | Missing Authorization check in SAP NetWeaver (Visual Composer development server) |
v3.1
CRITICAL
Score: 10
|
3 | 2025-05-07 08:01 UTC |
7 | CVE-2025-32433 | Erlang/OTP SSH Vulnerable to Pre-Authentication RCE |
v3.1
CRITICAL
Score: 10
|
3 | 2025-05-03 15:19 UTC |
8 | CVE-2025-2011 | n/a | n/a | 2 | 2025-05-07 03:24 UTC |
9 | CVE-2021-25646 | Authenticated users can override system configurations in their requests which allows them to execute arbitrary code. | n/a | 2 | 2025-05-08 21:07 UTC |
10 | CVE-2025-12654 | n/a | n/a | 2 | 2025-05-03 09:14 UTC |
11 | CVE-2016-5195 | n/a | n/a | 2 | 2025-05-03 09:14 UTC |
12 | CVE-2021-1931 | n/a |
v3.1
MEDIUM
Score: 6.7
|
2 | 2025-05-04 15:00 UTC |
13 | CVE-2024-27956 | WordPress Automatic plugin <= 3.92.0 - Unauthenticated Arbitrary SQL Execution vulnerability |
v3.1
CRITICAL
Score: 9.9
|
2 | 2025-05-03 09:14 UTC |
14 | CVE-2025-26529 | Stored XSS risk in admin live log |
v3.1
HIGH
Score: 8.3
|
2 | 2025-05-03 20:49 UTC |
15 | CVE-2021-23017 | n/a | n/a | 2 | 2025-05-06 19:57 UTC |
16 | CVE-2025-3248 | Langflow Unauth RCE |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-05-05 22:12 UTC |
17 | CVE-2025-27533 | n/a | n/a | 2 | 2025-05-09 08:55 UTC |
18 | CVE-2025-24801 | GLPI allows authenticated remote code execution |
v3.1
HIGH
Score: 8.6
|
2 | 2025-05-06 07:57 UTC |
19 | CVE-2025-31161 | n/a |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-05-03 09:14 UTC |
20 | CVE-2025-27007 | WordPress SureTriggers <= 1.0.82 - Privilege Escalation Vulnerability |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-05-07 08:01 UTC |
21 | CVE-2023-46818 | n/a | n/a | 2 | 2025-05-03 09:14 UTC |
22 | CVE-2023-7231 | n/a | n/a | 2 | 2025-05-08 09:07 UTC |
23 | CVE-2024-57376 | n/a | n/a | 2 | 2025-05-08 09:07 UTC |
24 | CVE-2025-3969 | codeprojects News Publishing Site Dashboard Edit Category Page edit-category.php unrestricted upload |
v4.0
MEDIUM
Score: 5.3
|
2 | 2025-05-05 10:12 UTC |
25 | CVE-2025-32375 | Insecure Deserialization leads to RCE in BentoML's runner server |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-05-03 20:49 UTC |
26 | CVE-2025-46731 | Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI |
v4.0
HIGH
Score: 7.3
|
1 | 2025-05-06 07:57 UTC |
27 | CVE-2024-13513 | Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.3 - Sensitive Information Exposure to Privilege Escalation |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-05-09 08:55 UTC |
28 | CVE-2025-3605 | n/a | n/a | 1 | 2025-05-09 23:14 UTC |
29 | CVE-2022-24894 | Symfony storing cookie headers in HttpCache |
v3.1
MEDIUM
Score: 5.9
|
1 | 2025-05-08 09:07 UTC |
30 | CVE-2025-24252 | n/a | n/a | 1 | 2025-05-06 19:57 UTC |
31 | CVE-2024-21546 | n/a |
v4.0
CRITICAL
Score: 9.3
|
1 | 2025-05-05 10:12 UTC |
32 | CVE-2025-28073 | n/a | n/a | 1 | 2025-05-07 17:01 UTC |
33 | CVE-2025-3776 | Verification SMS with TargetSMS <= 1.5 - Unauthenticated Limited Remote Code Execution |
v3.1
HIGH
Score: 8.3
|
1 | 2025-05-05 16:12 UTC |
34 | CVE-2024-13800 | Popup Plugin For WordPress - ConvertPlus <= 3.5.30 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update |
v3.1
HIGH
Score: 8.1
|
1 | 2025-05-07 17:01 UTC |
35 | CVE-2025-31125 | Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query |
v3.1
MEDIUM
Score: 5.3
|
1 | 2025-05-07 08:01 UTC |
36 | CVE-2025-24893 | Remote code execution as guest via SolrSearchMacros request in xwiki |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-05-05 10:12 UTC |
37 | CVE-2025-44039 | n/a | n/a | 1 | 2025-05-03 09:14 UTC |
38 | CVE-2020-13151 | n/a | n/a | 1 | 2025-05-03 09:14 UTC |
39 | CVE-2021-21424 | Prevent user enumeration using Guard or the new Authenticator-based Security |
v3.1
MEDIUM
Score: 5.3
|
1 | 2025-05-08 09:07 UTC |
40 | CVE-2024-3400 | PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect |
v3.1
CRITICAL
Score: 10
|
1 | 2025-05-03 09:14 UTC |
41 | CVE-2025-29448 | n/a | n/a | 1 | 2025-05-05 22:12 UTC |
42 | CVE-2021-41268 | Cookie persistence in Symfony |
v3.1
MEDIUM
Score: 6.5
|
1 | 2025-05-08 09:07 UTC |
43 | CVE-2023-4504 | OpenPrinting CUPS/libppd Postscript Parsing Heap Overflow | n/a | 1 | 2025-05-08 09:07 UTC |
44 | CVE-2024-23113 | n/a |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-05-03 09:14 UTC |
45 | CVE-2025-47549 | n/a | n/a | 1 | 2025-05-08 21:07 UTC |
46 | CVE-2025-47240 | n/a | n/a | 1 | 2025-05-03 23:36 UTC |
47 | CVE-2025-3604 | Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Account Takeover |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-05-06 07:57 UTC |
48 | CVE-2024-39722 | n/a | n/a | 1 | 2025-05-07 08:01 UTC |
49 | CVE-2025-2748 | Kentico Xperience stored cross-site scripting in multiple-file upload functionality |
v3.1
MEDIUM
Score: 6.5
|
1 | 2025-05-09 23:14 UTC |
50 | CVE-2025-24203 | n/a | n/a | 1 | 2025-05-09 08:55 UTC |
51 | CVE-2025-31650 | Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame | n/a | 1 | 2025-05-03 09:14 UTC |
52 | CVE-2025-47226 | n/a |
v3.1
MEDIUM
Score: 5
|
1 | 2025-05-03 20:49 UTC |
53 | CVE-2025-28074 | n/a | n/a | 1 | 2025-05-07 17:01 UTC |
54 | CVE-2025-47550 | n/a | n/a | 1 | 2025-05-08 21:07 UTC |
55 | CVE-2025-24054 | NTLM Hash Disclosure Spoofing Vulnerability |
v3.1
MEDIUM
Score: 6.5
|
1 | 2025-05-03 09:14 UTC |
56 | CVE-2024-25600 | WordPress Bricks Theme <= 1.9.6 - Unauthenticated Remote Code Execution (RCE) vulnerability |
v3.1
CRITICAL
Score: 10
|
1 | 2025-05-09 23:14 UTC |
57 | CVE-2024-6648 | n/a | n/a | 1 | 2025-05-08 15:07 UTC |
58 | CVE-2012-3576 | n/a | n/a | 1 | 2025-05-03 09:14 UTC |
59 | CVE-2025-24132 | n/a | n/a | 1 | 2025-05-06 19:57 UTC |
60 | CVE-2025-25014 | n/a | n/a | 1 | 2025-05-07 17:01 UTC |
61 | CVE-2025-3928 | Commvault Web Server unspecified vulnerability |
v4.0
HIGH
Score: 8.7
|
1 | 2025-05-03 09:14 UTC |
62 | CVE-2024-49138 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 7.8
|
1 | 2025-05-04 20:09 UTC |
63 | CVE-2024-31317 | n/a | n/a | 1 | 2025-05-03 09:14 UTC |
64 | CVE-2025-1974 | ingress-nginx admission controller RCE escalation |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-05-07 03:24 UTC |
65 | CVE-2024-39719 | n/a | n/a | 1 | 2025-05-08 09:07 UTC |
66 | CVE-2025-47423 | n/a | n/a | 1 | 2025-05-07 08:01 UTC |
67 | CVE-2025-47256 | n/a | n/a | 1 | 2025-05-05 16:12 UTC |
68 | CVE-2025-28062 | n/a | n/a | 1 | 2025-05-05 16:12 UTC |
69 | CVE-2021-42392 | n/a | n/a | 1 | 2025-05-08 15:07 UTC |
70 | CVE-2025-1304 | NewsBlogger <= 0.2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload |
v3.1
HIGH
Score: 8.8
|
1 | 2025-05-03 09:14 UTC |
71 | CVE-2025-4190 | n/a | n/a | 1 | 2025-05-07 17:01 UTC |
72 | CVE-2019-10909 | n/a | n/a | 1 | 2025-05-08 09:07 UTC |
73 | CVE-2003-0201 | n/a | n/a | 1 | 2025-05-08 09:07 UTC |
74 | CVE-2023-22518 | n/a |
v3.0
CRITICAL
Score: 10
|
1 | 2025-05-05 10:12 UTC |
75 | CVE-2025-46271 | Planet Technology Network Products OS Command Injection |
v4.0
CRITICAL
Score: 9.3
|
1 | 2025-05-08 09:07 UTC |