GitHub CVE statistics
Below you'll find the most talked-about vulnerabilities on GitHub for the selected time window. We scan every incoming repository name and description, extract CVE identifiers, and rank them by how often developers reference them. The fresher the CVE and the higher its rank, the more likely it is that proof-of-concept code, exploit scripts or mitigation tips are circulating right now.
How to act on this data
- If a CVE in the Top 10 affects your stack, prioritise patching and monitor for exploitation attempts.
- Click a CVE ID to open its NVD page for full details, CVSS scores and known mitigations.
- Switch the timeframe to spot emerging threats or long-term trends.
| Rank | CVE | Title | Metrics | Repo count | Last seen |
|---|---|---|---|---|---|
| 1 | CVE-2025-8088 Hot | n/a | n/a | 6 | 2025-09-18 11:29 UTC |
| 2 | CVE-2024-28397 Hot | n/a | n/a | 5 | 2025-09-17 23:29 UTC |
| 3 | CVE-2025-57819 Hot | FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE |
v4.0
CRITICAL
Score: 10
|
3 | 2025-09-14 18:30 UTC |
| 4 | CVE-2025-55234 | Windows SMB Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 8.8
|
3 | 2025-09-15 06:30 UTC |
| 5 | CVE-2025-44228 | n/a | n/a | 3 | 2025-09-15 00:30 UTC |
| 6 | CVE-2025-48384 | Git allows arbitrary code execution through broken config quoting |
v3.1
HIGH
Score: 8.1
|
3 | 2025-09-13 06:30 UTC |
| 7 | CVE-2025-29927 | Authorization Bypass in Next.js Middleware |
v3.1
CRITICAL
Score: 9.1
|
3 | 2025-09-17 11:29 UTC |
| 8 | CVE-2025-59359 | n/a | n/a | 2 | 2025-09-18 05:29 UTC |
| 9 | CVE-2019-3396 | n/a | n/a | 2 | 2025-09-16 12:30 UTC |
| 10 | CVE-2025-24813 | Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT | n/a | 2 | 2025-09-15 00:30 UTC |
| 11 | CVE-2025-53770 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-09-13 12:30 UTC |
| 12 | CVE-2024-3094 | Xz: malicious code in distributed source |
v3.1
CRITICAL
Score: 10
|
2 | 2025-09-12 06:30 UTC |
| 13 | CVE-2025-26686 | Windows TCP/IP Remote Code Execution Vulnerability |
v3.1
HIGH
Score: 7.5
|
2 | 2025-09-16 06:30 UTC |
| 14 | CVE-2024-1709 | Authentication bypass using an alternate path or channel |
v3.1
CRITICAL
Score: 10
|
2 | 2025-09-17 11:29 UTC |
| 15 | CVE-2025-27210 | n/a |
v3.0
HIGH
Score: 7.5
|
2 | 2025-09-16 12:30 UTC |
| 16 | CVE-2025-56019 | n/a | n/a | 2 | 2025-09-13 06:30 UTC |
| 17 | CVE-2025-54918 | Windows NTLM Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 8.8
|
2 | 2025-09-17 11:29 UTC |
| 18 | CVE-2014-6287 | n/a | n/a | 2 | 2025-09-16 18:30 UTC |
| 19 | CVE-2025-8571 | Concrete CMS 9 through 9.4.2 and below 8.5.21 is vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page |
v4.0
MEDIUM
Score: 4.8
|
2 | 2025-09-12 18:30 UTC |
| 20 | CVE-2025-3248 | Langflow Unauth RCE |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-09-17 11:29 UTC |
| 21 | CVE-2025-48543 | n/a | n/a | 2 | 2025-09-14 18:30 UTC |
| 22 | CVE-2025-4123 | n/a |
v3.1
MEDIUM
Score: 6.8
|
2 | 2025-09-12 12:30 UTC |
| 23 | CVE-2025-21692 | net: sched: fix ets qdisc OOB Indexing | n/a | 2 | 2025-09-14 18:30 UTC |
| 24 | CVE-2025-24799 | GLPI allows unauthenticated SQL injection through the inventory endpoint |
v3.1
HIGH
Score: 7.5
|
2 | 2025-09-16 18:30 UTC |
| 25 | CVE-2024-4157 | Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.15 - PHP Object Injection via extractDynamicValues |
v3.1
HIGH
Score: 7.5
|
2 | 2025-09-17 11:29 UTC |
| 26 | CVE-2025-8570 | BeyondCart Connector <= 2.1.0 - Missing Configuration of JWT Secret to Unauthenticated Privilege Escalation via determine_current_user Filter |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-09-12 18:30 UTC |
| 27 | CVE-2010-1240 | n/a | n/a | 2 | 2025-09-17 11:29 UTC |
| 28 | CVE-2025-21333 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 7.8
|
2 | 2025-09-12 18:30 UTC |
| 29 | CVE-2023-30258 | n/a | n/a | 1 | 2025-09-18 17:29 UTC |
| 30 | CVE-2025-29306 | n/a | n/a | 1 | 2025-09-18 05:29 UTC |
| 31 | CVE-2024-45712 | SolarWinds Serv-U Client-Side Cross-Site Scripting Vulnerability |
v3.1
LOW
Score: 2.6
|
1 | 2025-09-17 11:29 UTC |
| 32 | CVE-2025-38501 | n/a | n/a | 1 | 2025-09-15 12:30 UTC |
| 33 | CVE-2025-12654 | n/a | n/a | 1 | 2025-09-15 00:30 UTC |
| 34 | CVE-2025-9074 | Docker Desktop allows unauthenticated access to Docker Engine API from containers |
v4.0
CRITICAL
Score: 9.3
|
1 | 2025-09-16 00:30 UTC |
| 35 | CVE-2024-1708 | Improper limitation of a pathname to a restricted directory (“path traversal”) |
v3.1
HIGH
Score: 8.4
|
1 | 2025-09-17 11:29 UTC |
| 36 | CVE-2025-2945 | pgAdmin 4: Remote Code Execution in Query Tool and Cloud Deployment |
v3.1
CRITICAL
Score: 9.9
|
1 | 2025-09-13 12:30 UTC |
| 37 | CVE-2025-49144 | Notepad++ Privilege Escalation in Installer via Uncontrolled Executable Search Path |
v3.1
HIGH
Score: 7.3
|
1 | 2025-09-17 17:29 UTC |
| 38 | CVE-2025-51006 | n/a | n/a | 1 | 2025-09-12 18:30 UTC |
| 39 | CVE-2024-4701 | Path Traversal vulnerability via File Uploads in Genie |
v3.1
CRITICAL
Score: 9.9
|
1 | 2025-09-12 12:30 UTC |
| 40 | CVE-2025-32433 | Erlang/OTP SSH Vulnerable to Pre-Authentication RCE |
v3.1
CRITICAL
Score: 10
|
1 | 2025-09-18 17:29 UTC |
| 41 | CVE-2024-9264 | Grafana SQL Expressions allow for remote code execution |
v4.0
CRITICAL
Score: 9.4
|
1 | 2025-09-13 06:30 UTC |
| 42 | CVE-2025-59376 | n/a | n/a | 1 | 2025-09-15 18:30 UTC |
| 43 | CVE-2025-31161 | n/a |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-09-15 06:30 UTC |
| 44 | CVE-2024-6387 | Openssh: regresshion - race condition in ssh allows rce/dos |
v3.1
HIGH
Score: 8.1
|
1 | 2025-09-13 06:30 UTC |
| 45 | CVE-2025-53772 | n/a | n/a | 1 | 2025-09-18 17:29 UTC |
| 46 | CVE-2025-50944 | n/a | n/a | 1 | 2025-09-14 00:30 UTC |
| 47 | CVE-2024-43630 | Windows Kernel Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 7.8
|
1 | 2025-09-17 23:29 UTC |
| 48 | CVE-2025-9776 | n/a | n/a | 1 | 2025-09-13 06:30 UTC |
| 49 | CVE-2025-3639 | n/a | n/a | 1 | 2025-09-13 06:30 UTC |
| 50 | CVE-2025-46408 | n/a | n/a | 1 | 2025-09-14 00:30 UTC |
| 51 | CVE-2007-2447 | n/a | n/a | 1 | 2025-09-13 12:30 UTC |
| 52 | CVE-2025-55996 | n/a | n/a | 1 | 2025-09-12 06:30 UTC |
| 53 | CVE-2021-22600 | Double Free in net/packet/af_packet.c leading to priviledge escalation |
v3.1
MEDIUM
Score: 6.6
|
1 | 2025-09-17 11:29 UTC |
| 54 | CVE-2025-10533 | n/a | n/a | 1 | 2025-09-16 18:30 UTC |
| 55 | CVE-2021-3493 | n/a |
v3.1
HIGH
Score: 8.8
|
1 | 2025-09-13 18:30 UTC |
| 56 | CVE-2025-50110 | n/a | n/a | 1 | 2025-09-14 00:30 UTC |
| 57 | CVE-2024-42009 | n/a | n/a | 1 | 2025-09-15 00:30 UTC |
| 58 | CVE-2025-59377 | n/a | n/a | 1 | 2025-09-15 18:30 UTC |
| 59 | CVE-2025-54914 | Azure Networking Elevation of Privilege Vulnerability |
v3.1
CRITICAL
Score: 10
|
1 | 2025-09-12 18:30 UTC |
| 60 | CVE-2025-54106 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
v3.1
HIGH
Score: 8.8
|
1 | 2025-09-16 18:30 UTC |
| 61 | CVE-2025-54309 | n/a |
v3.1
CRITICAL
Score: 9
|
1 | 2025-09-13 12:30 UTC |