GitHub CVE statistics
Below you'll find the most talked-about vulnerabilities on GitHub for the selected time window. We scan every incoming repository name and description, extract CVE identifiers, and rank them by how often developers reference them. The fresher the CVE and the higher its rank, the more likely it is that proof-of-concept code, exploit scripts or mitigation tips are circulating right now.
How to act on this data
- If a CVE in the Top 10 affects your stack, prioritise patching and monitor for exploitation attempts.
- Click a CVE ID to open its NVD page for full details, CVSS scores and known mitigations.
- Switch the timeframe to spot emerging threats or long-term trends.
| Rank | CVE | Title | Metrics | Repo count | Last seen |
|---|---|---|---|---|---|
| 1 | CVE-2025-33053 Hot | Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability |
v3.1
HIGH
Score: 8.8
|
6 | 2025-06-18 23:56 UTC |
| 2 | CVE-2025-33073 Hot | Windows SMB Client Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 8.8
|
5 | 2025-06-15 11:56 UTC |
| 3 | CVE-2025-49113 Hot | n/a |
v3.1
CRITICAL
Score: 9.9
|
5 | 2025-06-17 23:56 UTC |
| 4 | CVE-2025-3248 | Langflow Unauth RCE |
v3.1
CRITICAL
Score: 9.8
|
4 | 2025-06-18 23:56 UTC |
| 5 | CVE-2025-0133 | PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Gateway and Portal |
v4.0
MEDIUM
Score: 6.9
|
3 | 2025-06-18 11:56 UTC |
| 6 | CVE-2016-3088 | n/a | n/a | 2 | 2025-06-16 11:56 UTC |
| 7 | CVE-2024-40898 | Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows | n/a | 2 | 2025-06-14 15:17 UTC |
| 8 | CVE-2024-50379 | Apache Tomcat: RCE due to TOCTOU issue in JSP compilation | n/a | 2 | 2025-06-14 09:17 UTC |
| 9 | CVE-2025-5287 | n/a | n/a | 2 | 2025-06-16 23:56 UTC |
| 10 | CVE-2023-1698 | WAGO: WBM Command Injection in multiple products |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-06-15 17:56 UTC |
| 11 | CVE-2021-31956 | Windows NTFS Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 7.8
|
2 | 2025-06-17 23:56 UTC |
| 12 | CVE-2019-14811 | n/a |
v3.0
HIGH
Score: 7.3
|
2 | 2025-06-15 23:56 UTC |
| 13 | CVE-2025-44203 | n/a | n/a | 2 | 2025-06-18 23:56 UTC |
| 14 | CVE-2025-49619 | n/a |
v3.1
HIGH
Score: 8.5
|
2 | 2025-06-15 11:56 UTC |
| 15 | CVE-2023-6401 | NotePad++ dbghelp.exe uncontrolled search path |
v3.1
MEDIUM
Score: 5.3
|
2 | 2025-06-18 23:56 UTC |
| 16 | CVE-2015-1578 | n/a | n/a | 2 | 2025-06-19 05:56 UTC |
| 17 | CVE-2025-5964 | Path traversal in M-Files API |
v4.0
HIGH
Score: 8.4
|
2 | 2025-06-17 05:56 UTC |
| 18 | CVE-2025-5815 | Traffic Monitor <= 3.2.2 - Missing Authorization to Unauthenticated Settings Update |
v3.1
MEDIUM
Score: 5.3
|
2 | 2025-06-13 09:17 UTC |
| 19 | CVE-2021-29447 | WordPress Authenticated XXE attack when installation is running PHP 8 |
v3.1
HIGH
Score: 7.1
|
2 | 2025-06-12 21:17 UTC |
| 20 | CVE-2025-4009 | n/a | n/a | 2 | 2025-06-13 21:17 UTC |
| 21 | CVE-2025-2783 | n/a | n/a | 2 | 2025-06-17 05:56 UTC |
| 22 | CVE-2025-24071 | Microsoft Windows File Explorer Spoofing Vulnerability |
v3.1
MEDIUM
Score: 6.5
|
2 | 2025-06-13 09:17 UTC |
| 23 | CVE-2025-31650 | Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame | n/a | 2 | 2025-06-13 15:17 UTC |
| 24 | CVE-2025-4123 | n/a |
v3.1
HIGH
Score: 7.6
|
2 | 2025-06-17 11:56 UTC |
| 25 | CVE-2024-4577 | Argument Injection in PHP-CGI |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-06-15 11:56 UTC |
| 26 | CVE-2024-49138 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 7.8
|
1 | 2025-06-12 15:17 UTC |
| 27 | CVE-2017-0143 | n/a | n/a | 1 | 2025-06-17 11:56 UTC |
| 28 | CVE-2024-8232 | iniNet Solutions SpiderControl SCADA Web Server Unrestricted Upload of File with Dangerous Type |
v4.0
HIGH
Score: 8.7
|
1 | 2025-06-12 09:17 UTC |
| 29 | CVE-2024-55890 | D-Tale allows Remote Code Execution through the Custom Filter Input |
v4.0
MEDIUM
Score: 6.9
|
1 | 2025-06-13 09:17 UTC |
| 30 | CVE-2025-29471 | n/a | n/a | 1 | 2025-06-13 03:17 UTC |
| 31 | CVE-2025-24035 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
v3.1
HIGH
Score: 8.1
|
1 | 2025-06-12 09:17 UTC |
| 32 | CVE-2025-26198 | n/a | n/a | 1 | 2025-06-18 23:56 UTC |
| 33 | CVE-2021-40724 | Adobe Acrobat Reader Android Abritrary Code Execution Vulnerability |
v3.1
HIGH
Score: 7.8
|
1 | 2025-06-15 17:56 UTC |
| 34 | CVE-2025-2135 | n/a | n/a | 1 | 2025-06-17 11:56 UTC |
| 35 | CVE-2025-32433 | Erlang/OTP SSH Vulnerable to Pre-Authentication RCE |
v3.1
CRITICAL
Score: 10
|
1 | 2025-06-15 17:56 UTC |
| 36 | CVE-2010-1872 | n/a | n/a | 1 | 2025-06-14 21:17 UTC |
| 37 | CVE-2025-46181 | n/a | n/a | 1 | 2025-06-14 09:17 UTC |
| 38 | CVE-2014-6271 | n/a | n/a | 1 | 2025-06-14 15:17 UTC |
| 39 | CVE-2025-20125 | Cisco Identity Services Engine Insufficient Authorization Bypass Vulnerability |
v3.1
CRITICAL
Score: 9.1
|
1 | 2025-06-16 11:56 UTC |
| 40 | CVE-2025-20124 | Cisco Identity Services Engine Java Deserialization Vulnerability |
v3.1
CRITICAL
Score: 9.9
|
1 | 2025-06-16 11:56 UTC |
| 41 | CVE-2025-21420 | Windows Disk Cleanup Tool Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 7.8
|
1 | 2025-06-12 21:17 UTC |
| 42 | CVE-2024-54772 | n/a | n/a | 1 | 2025-06-12 21:17 UTC |
| 43 | CVE-2025-24054 | NTLM Hash Disclosure Spoofing Vulnerability |
v3.1
MEDIUM
Score: 6.5
|
1 | 2025-06-14 09:17 UTC |
| 44 | CVE-2025-43200 | n/a | n/a | 1 | 2025-06-17 17:56 UTC |
| 45 | CVE-2025-32711 | M365 Copilot Information Disclosure Vulnerability |
v3.1
CRITICAL
Score: 9.3
|
1 | 2025-06-12 15:17 UTC |
| 46 | CVE-2025-26199 | n/a | n/a | 1 | 2025-06-19 05:56 UTC |
| 47 | CVE-2025-32710 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
v3.1
HIGH
Score: 8.1
|
1 | 2025-06-18 11:56 UTC |
| 48 | CVE-2025-6019 | n/a | n/a | 1 | 2025-06-19 05:56 UTC |
| 49 | CVE-2025-2324565 | n/a | n/a | 1 | 2025-06-14 09:17 UTC |
| 50 | CVE-2025-29927 | Authorization Bypass in Next.js Middleware |
v3.1
CRITICAL
Score: 9.1
|
1 | 2025-06-12 09:17 UTC |
| 51 | CVE-2025-5288 | REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-06-12 21:17 UTC |
| 52 | CVE-2024-28995 | SolarWinds Serv-U L Directory Transversal Vulnerability |
v3.1
HIGH
Score: 8.6
|
1 | 2025-06-15 11:56 UTC |
| 53 | CVE-2025-49125 | n/a | n/a | 1 | 2025-06-16 17:56 UTC |
| 54 | CVE-2024-9264 | Grafana SQL Expressions allow for remote code execution |
v4.0
CRITICAL
Score: 9.4
|
1 | 2025-06-15 05:56 UTC |
| 55 | CVE-2025-46157 | n/a | n/a | 1 | 2025-06-13 21:17 UTC |
| 56 | CVE-2025-46171 | n/a | n/a | 1 | 2025-06-17 17:56 UTC |
| 57 | CVE-2024-0204 | Authentication Bypass in GoAnywhere MFT |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-06-15 11:56 UTC |
| 58 | CVE-2025-31161 | n/a |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-06-15 11:56 UTC |
| 59 | CVE-2025-48466 | n/a | n/a | 1 | 2025-06-17 17:56 UTC |
| 60 | CVE-2025-6220 | Ultimate Addons for Contact Form 7 <= 3.5.12 - Authenticated (Administrator+) Arbitrary File Upload via 'save_options' |
v3.1
HIGH
Score: 7.2
|
1 | 2025-06-17 23:56 UTC |
| 61 | CVE-2025-5419 | n/a | n/a | 1 | 2025-06-14 03:17 UTC |
| 62 | CVE-2025-24201 | n/a | n/a | 1 | 2025-06-14 15:17 UTC |
| 63 | CVE-2025-1094 | PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation |
v3.1
HIGH
Score: 8.1
|
1 | 2025-06-18 17:56 UTC |
| 64 | CVE-2025-5701 | n/a | n/a | 1 | 2025-06-12 09:17 UTC |