GitHub CVE statistics
Below you'll find the most talked-about vulnerabilities on GitHub for the selected time window. We scan every incoming repository name and description, extract CVE identifiers, and rank them by how often developers reference them. The fresher the CVE and the higher its rank, the more likely it is that proof-of-concept code, exploit scripts or mitigation tips are circulating right now.
How to act on this data
- If a CVE in the Top 10 affects your stack, prioritise patching and monitor for exploitation attempts.
- Click a CVE ID to open its NVD page for full details, CVSS scores and known mitigations.
- Switch the timeframe to spot emerging threats or long-term trends.
| Rank | CVE | Title | Metrics | Repo count | Last seen |
|---|---|---|---|---|---|
| 1 | CVE-2025-48384 Hot | Git allows arbitrary code execution through broken config quoting |
v3.1
HIGH
Score: 8.1
|
5 | 2025-09-13 06:30 UTC |
| 2 | CVE-2025-53690 Hot | n/a | n/a | 4 | 2025-09-11 00:30 UTC |
| 3 | CVE-2024-28397 Hot | n/a | n/a | 4 | 2025-09-11 00:30 UTC |
| 4 | CVE-2025-57819 | FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE |
v4.0
CRITICAL
Score: 10
|
4 | 2025-09-12 18:30 UTC |
| 5 | CVE-2025-21333 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 7.8
|
4 | 2025-09-12 18:30 UTC |
| 6 | CVE-2025-57833 | n/a | n/a | 3 | 2025-09-11 00:30 UTC |
| 7 | CVE-2025-32433 | Erlang/OTP SSH Vulnerable to Pre-Authentication RCE |
v3.1
CRITICAL
Score: 10
|
3 | 2025-09-11 00:30 UTC |
| 8 | CVE-2025-8570 | BeyondCart Connector <= 2.1.0 - Missing Configuration of JWT Secret to Unauthenticated Privilege Escalation via determine_current_user Filter |
v3.1
CRITICAL
Score: 9.8
|
3 | 2025-09-12 18:30 UTC |
| 9 | CVE-2024-6387 | Openssh: regresshion - race condition in ssh allows rce/dos |
v3.1
HIGH
Score: 8.1
|
3 | 2025-09-13 06:30 UTC |
| 10 | CVE-2025-54914 | Azure Networking Elevation of Privilege Vulnerability |
v3.1
CRITICAL
Score: 10
|
3 | 2025-09-12 18:30 UTC |
| 11 | CVE-2025-24799 | GLPI allows unauthenticated SQL injection through the inventory endpoint |
v3.1
HIGH
Score: 7.5
|
2 | 2025-09-11 00:30 UTC |
| 12 | CVE-2025-24813 | Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT | n/a | 2 | 2025-09-11 00:30 UTC |
| 13 | CVE-2021-42013 | Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) | n/a | 2 | 2025-09-11 00:30 UTC |
| 14 | CVE-2025-30208 | Vite bypasses server.fs.deny when using `?raw??` |
v3.1
MEDIUM
Score: 5.3
|
2 | 2025-09-11 00:30 UTC |
| 15 | CVE-2019-18935 | n/a | n/a | 2 | 2025-09-11 18:30 UTC |
| 16 | CVE-2025-53770 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-09-13 12:30 UTC |
| 17 | CVE-2024-3094 | Xz: malicious code in distributed source |
v3.1
CRITICAL
Score: 10
|
2 | 2025-09-12 06:30 UTC |
| 18 | CVE-2025-6934 | Opal Estate Pro <= 1.7.5 - Unauthenticated Privilege Escalation via 'on_regiser_user' |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-09-11 00:30 UTC |
| 19 | CVE-2025-2502 | n/a | n/a | 2 | 2025-09-11 00:30 UTC |
| 20 | CVE-2022-22077 | n/a |
v3.1
HIGH
Score: 8.4
|
2 | 2025-09-11 00:30 UTC |
| 21 | CVE-2022-0847 | n/a | n/a | 2 | 2025-09-11 18:30 UTC |
| 22 | CVE-2025-23266 | n/a | n/a | 2 | 2025-09-11 00:30 UTC |
| 23 | CVE-2025-42957 | Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise) |
v3.1
CRITICAL
Score: 9.9
|
2 | 2025-09-11 00:30 UTC |
| 24 | CVE-2025-56019 | n/a | n/a | 2 | 2025-09-13 06:30 UTC |
| 25 | CVE-2017-5638 | n/a | n/a | 2 | 2025-09-11 18:30 UTC |
| 26 | CVE-2025-58443 | n/a | n/a | 2 | 2025-09-11 00:30 UTC |
| 27 | CVE-2024-10220 | Arbitrary command execution through gitRepo volume |
v3.1
HIGH
Score: 8.1
|
2 | 2025-09-11 00:30 UTC |
| 28 | CVE-2025-8571 | Concrete CMS 9 through 9.4.2 and below 8.5.21 is vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page |
v4.0
MEDIUM
Score: 4.8
|
2 | 2025-09-12 18:30 UTC |
| 29 | CVE-2025-24893 | Remote code execution as guest via SolrSearchMacros request in xwiki |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-09-11 00:30 UTC |
| 30 | CVE-2025-29927 | Authorization Bypass in Next.js Middleware |
v3.1
CRITICAL
Score: 9.1
|
2 | 2025-09-12 00:30 UTC |
| 31 | CVE-2025-4123 | n/a |
v3.1
MEDIUM
Score: 6.8
|
2 | 2025-09-12 12:30 UTC |
| 32 | CVE-2025-8088 | n/a | n/a | 2 | 2025-09-11 00:30 UTC |
| 33 | CVE-2025-42944 | n/a | n/a | 2 | 2025-09-11 18:30 UTC |
| 34 | CVE-2025-31161 | n/a |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-09-11 00:30 UTC |
| 35 | CVE-2023-46818 | n/a | n/a | 2 | 2025-09-11 00:30 UTC |
| 36 | CVE-2025-52970 | n/a | n/a | 2 | 2025-09-11 00:30 UTC |
| 37 | CVE-2015-5736 | n/a | n/a | 2 | 2025-09-11 00:30 UTC |
| 38 | CVE-2025-24071 | Microsoft Windows File Explorer Spoofing Vulnerability |
v3.1
MEDIUM
Score: 6.5
|
2 | 2025-09-11 00:30 UTC |
| 39 | CVE-2018-11776 | n/a | n/a | 2 | 2025-09-11 00:30 UTC |
| 40 | CVE-2025-54309 | n/a |
v3.1
CRITICAL
Score: 9
|
2 | 2025-09-13 12:30 UTC |
| 41 | CVE-2025-5095 | n/a | n/a | 2 | 2025-09-11 00:30 UTC |
| 42 | CVE-2025-43300 | n/a | n/a | 2 | 2025-09-11 00:30 UTC |
| 43 | CVE-2025-22131 | Cross-Site Scripting (XSS) vulnerability in generateNavigation() function |
v4.0
MEDIUM
Score: 5.1
|
2 | 2025-09-11 00:30 UTC |
| 44 | CVE-2025-2945 | pgAdmin 4: Remote Code Execution in Query Tool and Cloud Deployment |
v3.1
CRITICAL
Score: 9.9
|
1 | 2025-09-13 12:30 UTC |
| 45 | CVE-2018-15473 | n/a | n/a | 1 | 2025-09-11 06:30 UTC |
| 46 | CVE-2025-51006 | n/a | n/a | 1 | 2025-09-12 18:30 UTC |
| 47 | CVE-2025-24204 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 48 | CVE-2025-10142 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 49 | CVE-2025-55232 | Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-09-11 00:30 UTC |
| 50 | CVE-2025-55234 | Windows SMB Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 8.8
|
1 | 2025-09-13 06:30 UTC |
| 51 | CVE-2024-9264 | Grafana SQL Expressions allow for remote code execution |
v4.0
CRITICAL
Score: 9.4
|
1 | 2025-09-13 06:30 UTC |
| 52 | CVE-2024-23897 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 53 | CVE-2017-12865 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 54 | CVE-2025-56605 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 55 | CVE-2025-53772 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 56 | CVE-2024-4956 | Nexus Repository 3 - Path Traversal |
v3.1
HIGH
Score: 7.5
|
1 | 2025-09-11 00:30 UTC |
| 57 | CVE-2025-3639 | n/a | n/a | 1 | 2025-09-13 06:30 UTC |
| 58 | CVE-2018-6574 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 59 | CVE-2018-16763 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 60 | CVE-2025-49388 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 61 | CVE-2025-58780 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 62 | CVE-2025-7771 | Code Execution / Escalation of Privileges in ThrottleStop |
v4.0
HIGH
Score: 8.7
|
1 | 2025-09-11 00:30 UTC |
| 63 | CVE-2007-2447 | n/a | n/a | 1 | 2025-09-13 12:30 UTC |
| 64 | CVE-2025-57520 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 65 | CVE-2025-55996 | n/a | n/a | 1 | 2025-09-12 06:30 UTC |
| 66 | CVE-2021-21707 | Special characters break path parsing in XML functions |
v3.1
MEDIUM
Score: 5.3
|
1 | 2025-09-11 00:30 UTC |
| 67 | CVE-2025-54236 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 68 | CVE-2025-32463 | n/a |
v3.1
CRITICAL
Score: 9.3
|
1 | 2025-09-11 00:30 UTC |
| 69 | CVE-2024-32019 | ndsudo: local privilege escalation via untrusted search path |
v3.1
HIGH
Score: 8.8
|
1 | 2025-09-11 00:30 UTC |
| 70 | CVE-2016-5195 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 71 | CVE-2025-49113 | n/a |
v3.1
CRITICAL
Score: 9.9
|
1 | 2025-09-11 00:30 UTC |
| 72 | CVE-2025-10046 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 73 | CVE-2025-58180 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 74 | CVE-2025-52389 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |
| 75 | CVE-2025-9776 | n/a | n/a | 1 | 2025-09-13 06:30 UTC |
| 76 | CVE-2025-47812 | n/a |
v3.1
CRITICAL
Score: 10
|
1 | 2025-09-11 00:30 UTC |
| 77 | CVE-2021-44228 | Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints | n/a | 1 | 2025-09-11 00:30 UTC |
| 78 | CVE-2024-4701 | Path Traversal vulnerability via File Uploads in Genie |
v3.1
CRITICAL
Score: 9.9
|
1 | 2025-09-12 12:30 UTC |
| 79 | CVE-2021-4034 | n/a | n/a | 1 | 2025-09-11 18:30 UTC |
| 80 | CVE-2024-22722 | n/a | n/a | 1 | 2025-09-11 00:30 UTC |