GitHub CVE statistics
Below you'll find the most talked-about vulnerabilities on GitHub for the selected time window. We scan every incoming repository name and description, extract CVE identifiers, and rank them by how often developers reference them. The fresher the CVE and the higher its rank, the more likely it is that proof-of-concept code, exploit scripts or mitigation tips are circulating right now.
How to act on this data
- If a CVE in the Top 10 affects your stack, prioritise patching and monitor for exploitation attempts.
- Click a CVE ID to open its NVD page for full details, CVSS scores and known mitigations.
- Switch the timeframe to spot emerging threats or long-term trends.
| Rank | CVE | Title | Metrics | Repo count | Last seen |
|---|---|---|---|---|---|
| 1 | CVE-2025-49144 Hot | Notepad++ Privilege Escalation in Installer via Uncontrolled Executable Search Path |
v3.1
HIGH
Score: 7.3
|
11 | 2025-06-29 03:40 UTC |
| 2 | CVE-2025-6218 Hot | n/a | n/a | 5 | 2025-07-01 09:40 UTC |
| 3 | CVE-2024-27388 Hot | SUNRPC: fix some memleaks in gssx_dec_option_array | n/a | 4 | 2025-06-30 15:40 UTC |
| 4 | CVE-2025-49132 | n/a | n/a | 4 | 2025-06-25 22:43 UTC |
| 5 | CVE-2025-30208 | Vite bypasses server.fs.deny when using `?raw??` |
v3.1
MEDIUM
Score: 5.3
|
4 | 2025-06-29 15:40 UTC |
| 6 | CVE-2025-5777 | NetScaler ADC and NetScaler Gateway - Insufficient input validation leading to memory overread |
v4.0
CRITICAL
Score: 9.3
|
3 | 2025-06-30 15:40 UTC |
| 7 | CVE-2024-43917 | WordPress TI WooCommerce Wishlist plugin <= 2.8.2 - SQL Injection vulnerability |
v3.1
CRITICAL
Score: 9.3
|
2 | 2025-06-25 22:43 UTC |
| 8 | CVE-2022-1257 | Improper Verification of Cryptographic Signature by McAfee Agent |
v3.1
MEDIUM
Score: 6.1
|
2 | 2025-06-25 04:43 UTC |
| 9 | CVE-2025-1974 | ingress-nginx admission controller RCE escalation |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-06-26 10:43 UTC |
| 10 | CVE-2025-27558 | n/a | n/a | 2 | 2025-06-25 16:43 UTC |
| 11 | CVE-2025-47577 | n/a | n/a | 2 | 2025-06-25 22:43 UTC |
| 12 | CVE-2025-20281 | Cisco ISE API Unauthenticated Remote Code Execution Vulnerability |
v3.1
CRITICAL
Score: 9.8
|
2 | 2025-06-27 21:40 UTC |
| 13 | CVE-2025-51046 | n/a | n/a | 2 | 2025-06-25 22:43 UTC |
| 14 | CVE-2025-5309 | n/a | n/a | 2 | 2025-06-24 16:43 UTC |
| 15 | CVE-2024-40898 | Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows | n/a | 2 | 2025-06-30 15:40 UTC |
| 16 | CVE-2023-5561 | WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure | n/a | 2 | 2025-07-01 09:40 UTC |
| 17 | CVE-2025-48703 | n/a | n/a | 2 | 2025-06-26 16:43 UTC |
| 18 | CVE-2025-6543 | Memory overflow vulnerability leading to unintended control flow and Denial of Service |
v4.0
CRITICAL
Score: 9.2
|
2 | 2025-06-30 09:40 UTC |
| 19 | CVE-2025-44608 | n/a | n/a | 2 | 2025-06-25 22:43 UTC |
| 20 | CVE-2025-1718 | n/a |
v4.0
HIGH
Score: 7.1
|
2 | 2025-06-24 16:43 UTC |
| 21 | CVE-2022-2588 | n/a |
v3.1
MEDIUM
Score: 5.3
|
2 | 2025-06-25 16:43 UTC |
| 22 | CVE-2025-1562 | Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit <= 3.5.3 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-06-27 09:40 UTC |
| 23 | CVE-2024-43425 | Moodle: remote code execution via calculated question types |
v3.1
HIGH
Score: 8.1
|
1 | 2025-06-28 09:40 UTC |
| 24 | CVE-2024-6345 | Remote Code Execution in pypa/setuptools |
v3.0
HIGH
Score: 8.8
|
1 | 2025-07-01 03:40 UTC |
| 25 | CVE-2024-4367 | n/a | n/a | 1 | 2025-06-28 21:40 UTC |
| 26 | CVE-2019-5736 | n/a | n/a | 1 | 2025-06-25 16:43 UTC |
| 27 | CVE-2020-1048 | n/a | n/a | 1 | 2025-06-24 16:43 UTC |
| 28 | CVE-2025-33073 | Windows SMB Client Elevation of Privilege Vulnerability |
v3.1
HIGH
Score: 8.8
|
1 | 2025-06-28 21:40 UTC |
| 29 | CVE-2022-2586 | n/a |
v3.1
MEDIUM
Score: 5.3
|
1 | 2025-06-30 21:40 UTC |
| 30 | CVE-2014-0160 | n/a | n/a | 1 | 2025-06-28 03:40 UTC |
| 31 | CVE-2025-3248 | Langflow Unauth RCE |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-06-25 04:43 UTC |
| 32 | CVE-2025-31650 | Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame | n/a | 1 | 2025-06-28 21:40 UTC |
| 33 | CVE-2023-5180 | Out-of-bounds Write vulnerability exists in ODA Drawings SDK before 2024.12 |
v3.1
HIGH
Score: 7.8
|
1 | 2025-06-27 09:40 UTC |
| 34 | CVE-2025-6019 | Libblockdev: lpe from allow_active to root in libblockdev via udisks |
v3.1
HIGH
Score: 7
|
1 | 2025-06-29 15:40 UTC |
| 35 | CVE-2025-4664 | n/a | n/a | 1 | 2025-06-30 21:40 UTC |
| 36 | CVE-2025-4334 | Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation |
v3.1
CRITICAL
Score: 9.8
|
1 | 2025-06-26 16:43 UTC |
| 37 | CVE-2025-29927 | Authorization Bypass in Next.js Middleware |
v3.1
CRITICAL
Score: 9.1
|
1 | 2025-06-29 15:40 UTC |
| 38 | CVE-2024-54085 | Redfish Authentication Bypass |
v4.0
CRITICAL
Score: 10
|
1 | 2025-06-30 03:40 UTC |
| 39 | CVE-2024-38819 | n/a |
v3.1
HIGH
Score: 7.5
|
1 | 2025-06-25 16:43 UTC |
| 40 | CVE-2025-48828 | n/a |
v3.1
CRITICAL
Score: 9
|
1 | 2025-06-25 22:43 UTC |
| 41 | CVE-2016-5195 | n/a | n/a | 1 | 2025-06-25 22:43 UTC |
| 42 | CVE-2025-30712 | n/a |
v3.1
HIGH
Score: 8.1
|
1 | 2025-06-25 22:43 UTC |
| 43 | CVE-2022-22965 | n/a | n/a | 1 | 2025-06-28 15:40 UTC |
| 44 | CVE-2024-3094 | Xz: malicious code in distributed source |
v3.1
CRITICAL
Score: 10
|
1 | 2025-06-27 21:40 UTC |
| 45 | CVE-2025-5222 | Icu: stack buffer overflow in the srbroot::addtag function |
v3.1
HIGH
Score: 7
|
1 | 2025-06-25 22:43 UTC |
| 46 | CVE-2025-45467 | n/a | n/a | 1 | 2025-06-24 16:43 UTC |
| 47 | CVE-2025-6860 | SourceCodester Best Salon Management System staff_commision.php sql injection |
v4.0
MEDIUM
Score: 5.3
|
1 | 2025-06-30 03:40 UTC |