Source index¶
Maintain this as the seed list of official or primary sources for the tool families documented here. Use these sources to discover offensive operator guidance for authorized testing, not blue-team alerting or defensive SecOps runbooks.
Application security research¶
- Andromeda bytecode C2 research framework: https://github.com/vyrus001/andromeda
- badkeys weak-key checker and web service: https://github.com/badkeys/badkeys and https://badkeys.info/
- GitHub Security Advisories: https://github.com/advisories
- uutils coreutils advisories/source: https://github.com/uutils/coreutils/security/advisories and https://github.com/uutils/coreutils
- Trail of Bits Patch the Planet field reports: https://blog.trailofbits.com/2026/07/02/field-reports-from-patch-the-planet/
- Trail of Bits Mewt mutation-testing DAML support: https://blog.trailofbits.com/2026/07/08/mutation-testing-comes-to-daml/ and https://github.com/trailofbits/mewt
- Trail of Bits Rust Testing Handbook update and rust-review plugin: https://blog.trailofbits.com/2026/07/13/rust-proof-your-code-with-our-new-testing-handbook-chapter/ and https://github.com/trailofbits/skills/tree/main/plugins/rust-review
- Fission advisories/source: https://github.com/fission/fission/security/advisories and https://github.com/fission/fission
- Cedar Express authorization middleware advisories/source: https://github.com/cedar-policy/authorization-for-expressjs/security/advisories and https://github.com/cedar-policy/authorization-for-expressjs
- KubeVirt advisories/source: https://github.com/kubevirt/kubevirt/security/advisories and https://github.com/kubevirt/kubevirt
- Apache Shiro advisories: https://shiro.apache.org/security-reports.html
- Apache Syncope advisories: https://syncope.apache.org/security
- Sigstore Java advisories/source: https://github.com/sigstore/sigstore-java/security/advisories and https://github.com/sigstore/sigstore-java
- Model Context Protocol Java SDK advisories/source: https://github.com/modelcontextprotocol/java-sdk/security/advisories and https://github.com/modelcontextprotocol/java-sdk
- Ray advisories/source: https://github.com/ray-project/ray/security/advisories and https://github.com/ray-project/ray
- MetaGPT source/issues: https://github.com/FoundationAgents/MetaGPT and https://github.com/FoundationAgents/MetaGPT/issues
- go-fastdfs-web advisories/research references: https://github.com/advisories/GHSA-6g49-gvr8-2cj2 and https://vuldb.com/vuln/369017
- vertex-app Vertex source/fixes: https://github.com/vertex-app/vertex and https://github.com/vertex-app/vertex/commit/805d82e7100d49b79b3beb1b9420e8e458987198
- clash-verge-service-ipc source/releases: https://github.com/clash-verge-rev/clash-verge-service-ipc and https://github.com/clash-verge-rev/clash-verge-service-ipc/releases/tag/v2.3.0
- NLTK advisories/source: https://github.com/nltk/nltk/security/advisories and https://github.com/nltk/nltk
- NiceGUI advisories/source: https://github.com/zauberzeug/nicegui/security/advisories and https://github.com/zauberzeug/nicegui
- Picklescan advisories/source: https://github.com/mmaitre314/picklescan/security/advisories and https://github.com/mmaitre314/picklescan
- ONNX source/issues: https://github.com/onnx/onnx and https://github.com/onnx/onnx/issues
- Budibase advisories/source: https://github.com/Budibase/budibase/security/advisories and https://github.com/Budibase/budibase
- Yii 2 advisories/source: https://github.com/yiisoft/yii2/security/advisories and https://github.com/yiisoft/yii2
- OpenClaw advisories/source: https://github.com/openclaw/openclaw/security/advisories and https://github.com/openclaw/openclaw
- free5GC advisories/source: https://github.com/free5gc/free5gc/security/advisories and https://github.com/free5gc/free5gc
- OpenStack Ironic advisories/source: https://security.openstack.org/ and https://opendev.org/openstack/ironic
- BentoML advisories/source: https://github.com/bentoml/BentoML/security/advisories and https://github.com/bentoml/BentoML
- Weblate advisories/source: https://github.com/WeblateOrg/weblate/security/advisories and https://github.com/WeblateOrg/weblate
- vLLM advisories/source: https://github.com/vllm-project/vllm/security/advisories and https://github.com/vllm-project/vllm
- Strawberry GraphQL advisories/source: https://github.com/strawberry-graphql/strawberry/security/advisories and https://github.com/strawberry-graphql/strawberry
- lxml advisories/source: https://github.com/lxml/lxml/security/advisories and https://github.com/lxml/lxml
- Waku advisories/source: https://github.com/wakujs/waku/security/advisories and https://github.com/wakujs/waku
- Skipper advisories/source: https://github.com/zalando/skipper/security/advisories and https://github.com/zalando/skipper
- LangChain advisories/source: https://github.com/langchain-ai/langchain/security/advisories and https://github.com/langchain-ai/langchain
- LangGraph advisories/source: https://github.com/langchain-ai/langgraph/security/advisories and https://github.com/langchain-ai/langgraph
- go-chi/chi advisories/source: https://github.com/go-chi/chi/security/advisories and https://github.com/go-chi/chi
- Lemur advisories/source: https://github.com/Netflix/lemur/security/advisories and https://github.com/Netflix/lemur
- Amazon Braket SDK advisories/source: https://github.com/amazon-braket/amazon-braket-sdk-python/security/advisories and https://github.com/amazon-braket/amazon-braket-sdk-python
- Cisco Unified Communications advisories: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW
- PTC security advisories: https://www.ptc.com/en/support/article/CS473270
- MindsDB advisories/source: https://github.com/mindsdb/mindsdb/security/advisories and https://github.com/mindsdb/mindsdb
- MindsDB file upload path traversal advisory: https://github.com/advisories/GHSA-4894-xqv6-vrfq
- MONAI advisories/source: https://github.com/Project-MONAI/MONAI/security/advisories and https://github.com/Project-MONAI/MONAI
- CISA Known Exploited Vulnerabilities catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog (JSON: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json)
- Shopper advisories/source: https://github.com/shopperlabs/shopper/security/advisories and https://github.com/shopperlabs/shopper
- TinyMCE advisories/source: https://github.com/tinymce/tinymce/security/advisories and https://github.com/tinymce/tinymce
- NASA AMMOS AIT-Core advisories/source: https://github.com/NASA-AMMOS/AIT-Core/security/advisories and https://github.com/NASA-AMMOS/AIT-Core
- Gradio advisories/source: https://github.com/gradio-app/gradio/security/advisories and https://github.com/gradio-app/gradio
- Hugging Face Diffusers advisories/source: https://github.com/huggingface/diffusers/security/advisories and https://github.com/huggingface/diffusers
- Trail of Bits Fickling advisories/source: https://github.com/trailofbits/fickling/security/advisories and https://github.com/trailofbits/fickling
- free5GC NRF source/advisories: https://github.com/free5gc/nrf and https://github.com/free5gc/free5gc/issues
- JupyterHub LTI Authenticator advisories/source: https://github.com/jupyterhub/ltiauthenticator/security/advisories and https://github.com/jupyterhub/ltiauthenticator
- NocoDB advisories and source: https://github.com/nocodb/nocodb/security/advisories and https://github.com/nocodb/nocodb
- DbGate advisories/source: https://github.com/dbgate/dbgate/security/advisories and https://github.com/dbgate/dbgate
- Sync-in Server advisories/source: https://github.com/Sync-in/server/security/advisories and https://github.com/Sync-in/server
- Flux source-controller advisories/source: https://github.com/fluxcd/source-controller/security/advisories and https://github.com/fluxcd/source-controller
- MCP Server Kubernetes advisories and source: https://github.com/Flux159/mcp-server-kubernetes/security/advisories and https://github.com/Flux159/mcp-server-kubernetes
- Omni advisories and source: https://github.com/siderolabs/omni/security/advisories and https://github.com/siderolabs/omni
- Authlib advisories and source: https://github.com/lepture/authlib/security/advisories and https://github.com/lepture/authlib
- Wasmtime advisories and source: https://github.com/bytecodealliance/wasmtime/security/advisories and https://github.com/bytecodealliance/wasmtime
- Crawl4AI advisories and source: https://github.com/unclecode/crawl4ai/security/advisories and https://github.com/unclecode/crawl4ai
- changedetection.io advisories and source: https://github.com/dgtlmoon/changedetection.io/security/advisories and https://github.com/dgtlmoon/changedetection.io
- Dagster advisories and source: https://github.com/dagster-io/dagster/security/advisories and https://github.com/dagster-io/dagster
- Django security releases and advisories: https://docs.djangoproject.com/en/dev/releases/security/ and https://github.com/django/django/security/advisories
- AgentScope advisories and source: https://github.com/modelscope/agentscope/security/advisories and https://github.com/modelscope/agentscope
- Netavark / Podman networking advisories and fixes: https://github.com/containers/netavark, https://github.com/containers/netavark/security/advisories, https://github.com/containers/podman/issues
- APScheduler advisories: https://github.com/agronholm/apscheduler/security/advisories
- BillaBear advisories/project: https://github.com/billabear/billabear and https://github.com/advisories/GHSA-xp6r-8pcc-xv5p
- MCP-for-Stata advisories: https://github.com/SepineTam/stata-mcp/security/advisories
- Shopware advisories: https://github.com/shopware/shopware/security/advisories
- AdGuard Home advisories: https://github.com/AdguardTeam/AdGuardHome/security/advisories
- dnsproxy source/fixes: https://github.com/AdguardTeam/dnsproxy
- Nuclio advisories: https://github.com/nuclio/nuclio/security/advisories
- Better Auth advisories: https://github.com/better-auth/better-auth/security/advisories
- Doorkeeper OpenID Connect advisories: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/security/advisories
- WebOb advisories: https://github.com/Pylons/webob/security/advisories
- Axios advisories: https://github.com/axios/axios/security/advisories
- Mirasvit Cache Warmer changelog: https://mirasvit.com/package/changelog/?package=mirasvit/module-cache-warmer
- Sansec Mirasvit Cache Warmer object-injection research: https://sansec.io/research/mirasvit-cache-warmer-object-injection
- ruby-jwt advisories: https://github.com/jwt/ruby-jwt/security/advisories
- Starlette advisories: https://github.com/Kludex/starlette/security/advisories
- Linux kernel source and fixes: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
- Apache ActiveMQ security advisories: https://activemq.apache.org/security-advisories
- Oracle Critical Patch Updates: https://www.oracle.com/security-alerts/
- Mattermost advisories: https://github.com/mattermost/mattermost/security/advisories
- kas advisories: https://github.com/siemens/kas/security/advisories
- rattler advisories: https://github.com/conda/rattler/security/advisories
- Vitest advisories: https://github.com/vitest-dev/vitest/security/advisories
- DOMPurify advisories: https://github.com/cure53/DOMPurify/security/advisories
- Sentry Python SDK advisories: https://github.com/getsentry/sentry-python/security/advisories
- Git LFS advisories: https://github.com/git-lfs/git-lfs/security/advisories
- phpMyFAQ advisories: https://github.com/thorsten/phpMyFAQ/security/advisories
- arnika advisories: https://github.com/arnika-project/arnika/security/advisories
- PraisonAI advisories: https://github.com/MervinPraison/PraisonAI/security/advisories
- Formie advisories: https://github.com/verbb/formie/security/advisories
- authentik advisories: https://github.com/goauthentik/authentik/security/advisories
- CC-Tweaked advisories: https://github.com/cc-tweaked/CC-Tweaked/security/advisories
- Keras advisories: https://github.com/keras-team/keras/security/advisories
- Admidio advisories: https://github.com/Admidio/admidio/security/advisories
- OpenC3 COSMOS advisories: https://github.com/OpenC3/cosmos/security/advisories
- YARD advisories: https://github.com/lsegal/yard/security/advisories
- Ouroboros advisories: https://github.com/Q00/ouroboros/security/advisories
- Stigmem advisories: https://github.com/eidetic-labs/stigmem/security/advisories
- Koel advisories: https://github.com/koel/koel/security/advisories
- LangBot advisories/source: https://github.com/RockChinQ/LangBot/security/advisories and https://github.com/RockChinQ/LangBot
- Summarize advisories: https://github.com/steipete/summarize/security/advisories and https://www.vulncheck.com/advisories/
- Amazon Redshift Python driver advisories: https://github.com/aws/amazon-redshift-python-driver/security/advisories
- uv advisories: https://github.com/astral-sh/uv/security/advisories
- russh advisories: https://github.com/Eugeny/russh/security/advisories
- AgenticMail advisories: https://github.com/agenticmail/agenticmail/security/advisories
- tar-rs advisories: https://github.com/composefs/tar-rs/security/advisories
- Parse Server advisories: https://github.com/parse-community/parse-server/security/advisories
- Palo Alto Networks PAN-OS advisories: https://security.paloaltonetworks.com/
- vm2 advisories: https://github.com/patriksimek/vm2/security/advisories
- Go-Guerrilla SMTP daemon advisories/source: https://github.com/flashmob/go-guerrilla/security/advisories and https://github.com/flashmob/go-guerrilla
- Puma advisories/source: https://github.com/puma/puma/security/advisories and https://github.com/puma/puma
- Arc advisories/source: https://github.com/basekick-labs/arc/security/advisories and https://github.com/basekick-labs/arc
- 1Panel advisories/source: https://github.com/1Panel-dev/1Panel/security/advisories and https://github.com/1Panel-dev/1Panel
- SGLang advisories: https://github.com/sgl-project/sglang/security/advisories
- ChromaDB advisories and research: https://github.com/chroma-core/chroma/security/advisories and https://www.hiddenlayer.com/research/chromatoast-served-pre-auth
- ngrok npm wrapper advisory reference: https://gist.github.com/Dremig/90c2a0a2f85b0921f10e0bb3192a0c23
- astral-tokio-tar advisories: https://github.com/astral-sh/tokio-tar/security/advisories
- eZ Publish Legacy security advisories/labs: https://github.com/ezsystems/ezpublish-legacy/security/advisories and https://github.com/Goaterino/ezpublish-legacy-lab
- Cluster API Provider Metal3 advisories: https://github.com/metal3-io/cluster-api-provider-metal3/security/advisories
- python-tuf advisories: https://github.com/theupdateframework/python-tuf/security/advisories
- Dulwich advisories: https://github.com/dulwich/dulwich/security/advisories
- nono advisories: https://github.com/always-further/nono/security/advisories
- local-deep-research advisories: https://github.com/LearningCircuit/local-deep-research/security/advisories
- shamefile advisories: https://github.com/BKDDFS/shamefile/security/advisories
- Symfony polyfill advisories: https://github.com/symfony/polyfill/security/advisories
- mem0 advisories: https://github.com/mem0ai/mem0/security/advisories
- compliance-trestle advisories: https://github.com/oscal-compass/compliance-trestle/security/advisories
- Flask-HTTPAuth advisories: https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories
- league/commonmark advisories: https://github.com/thephpleague/commonmark/security/advisories
- mamba / mamba-ssm advisories: https://github.com/state-spaces/mamba/security/advisories
- Guardrails AI advisories: https://github.com/guardrails-ai/guardrails/security/advisories
- Horovod project advisories: https://github.com/horovod/horovod/security/advisories
- AsyncSSH advisories: https://github.com/ronf/asyncssh/security/advisories
- Automad advisories: https://github.com/marcantondahmen/automad/security/advisories
- Hapi content advisories: https://github.com/hapijs/content/security/advisories
- Hapi wreck advisories: https://github.com/hapijs/wreck/security/advisories
- Hapi inert advisories/source: https://github.com/hapijs/inert/security/advisories and https://github.com/hapijs/inert
- Pimcore advisories: https://github.com/pimcore/pimcore/security/advisories
- Symfony routing advisories: https://github.com/symfony/symfony/security/advisories
- Symfony security-http advisories: https://github.com/symfony/symfony/security/advisories
- Symfony HtmlSanitizer advisories: https://github.com/symfony/symfony/security/advisories
- Capsule / Project Capsule advisories: https://github.com/projectcapsule/capsule/security/advisories
- Symfony MonologBridge advisories: https://github.com/symfony/symfony/security/advisories
- Symfony Cache advisories: https://github.com/symfony/symfony/security/advisories
- Symfony Mailer advisories: https://github.com/symfony/symfony/security/advisories
- Symfony Mime advisories: https://github.com/symfony/symfony/security/advisories
- Symfony DomCrawler advisories: https://github.com/symfony/symfony/security/advisories
- CrowdSec advisories: https://github.com/crowdsecurity/crowdsec/security/advisories
- Deno advisories: https://github.com/denoland/deno/security/advisories
- Langroid advisories: https://github.com/langroid/langroid/security/advisories
- tmp / node-tmp advisories: https://github.com/raszi/node-tmp/security/advisories
- Nezha Monitoring advisories: https://github.com/nezhahq/nezha/security/advisories
- Arcane advisories: https://github.com/getarcaneapp/arcane/security/advisories
- AstrBot advisories: https://github.com/AstrBotDevs/AstrBot/security/advisories
- Beetl project issues/advisories: https://gitee.com/xiandafu/beetl/issues
- instagrapi advisories: https://github.com/subzeroid/instagrapi/security/advisories
- aiograpi advisories: https://github.com/subzeroid/aiograpi/security/advisories
- Flask-Security advisories: https://github.com/pallets-eco/flask-security/security/advisories
- FileBrowser Quantum advisories: https://github.com/gtsteffaniak/filebrowser/security/advisories
- Drupal core security advisories: https://www.drupal.org/security
- Prefect security advisories: https://github.com/PrefectHQ/prefect/security/advisories
- Apache Camel security advisories: https://camel.apache.org/security/
- Apache Airflow security advisories: https://github.com/apache/airflow/security/advisories
- Fission security advisories: https://github.com/fission/fission/security/advisories
- Kolibri advisories/source: https://github.com/learningequality/kolibri/security/advisories and https://github.com/learningequality/kolibri
- Keycloak advisories/source: https://github.com/keycloak/keycloak/security/advisories and https://github.com/keycloak/keycloak
- Boxlite security advisories: https://github.com/rapiz1/boxlite/security/advisories
- containerd security advisories: https://github.com/containerd/containerd/security/advisories
- Pydantic AI security advisories: https://github.com/pydantic/pydantic-ai/security/advisories
- SQLAdmin security advisories: https://github.com/aminalaee/sqladmin/security/advisories
- Twig security advisories: https://github.com/twigphp/Twig/security/advisories
- Bugsink security advisories: https://github.com/bugsink/bugsink/security/advisories
- Tekton Pipelines security advisories: https://github.com/tektoncd/pipeline/security/advisories
- Apache Flink security advisories: https://flink.apache.org/what-is-flink/security/
- YesWiki security advisories: https://github.com/YesWiki/yeswiki/security/advisories
- Network-AI security advisories: https://github.com/Jovancoding/Network-AI/security/advisories
- JavaScript Cookie security advisories: https://github.com/js-cookie/js-cookie/security/advisories
- pyload-ng security advisories: https://github.com/pyload/pyload/security/advisories
- Crawlee security advisories: https://github.com/apify/crawlee-python/security/advisories
- Crabbox security advisories: https://github.com/openclaw/crabbox/security/advisories
- Langflow security advisories: https://github.com/langflow-ai/langflow/security/advisories
- samlify advisories: https://github.com/tngan/samlify/security/advisories
- Windows-MCP advisories: https://github.com/CursorTouch/Windows-MCP/security/advisories
- OpenMetadata advisories: https://github.com/open-metadata/OpenMetadata/security/advisories
- sanitize-html advisories: https://github.com/apostrophecms/sanitize-html/security/advisories
- SvelteKit advisories: https://github.com/sveltejs/kit/security/advisories
- md-fileserver advisories: https://github.com/commenthol/md-fileserver/security/advisories
- Amazon SageMaker Python SDK advisories: https://github.com/aws/sagemaker-python-sdk/security/advisories
- LMDeploy advisories: https://github.com/InternLM/lmdeploy/security/advisories
- Anyquery advisories/source: https://github.com/julien040/anyquery/security/advisories and https://github.com/julien040/anyquery
- pip security advisories: https://github.com/pypa/pip/security/advisories
- OpenClaude advisories: https://github.com/Gitlawb/openclaude/security/advisories
- TeleJSON advisories: https://github.com/storybookjs/telejson/security/advisories
- Apify MCP server advisories: https://github.com/apify/actors-mcp-server/security/advisories
- protobufjs advisories: https://github.com/protobufjs/protobuf.js/security/advisories
- Open WebUI advisories: https://github.com/open-webui/open-webui/security/advisories
- OpenClaw advisories: https://github.com/openclaw/openclaw/security/advisories
- HashiCorp Nomad advisories: https://github.com/hashicorp/nomad/security/advisories
- go-git advisories: https://github.com/go-git/go-git/security/advisories
- zrok advisories: https://github.com/openziti/zrok/security/advisories
- Mailpit advisories: https://github.com/axllent/mailpit/security/advisories
- Argo CD advisories: https://github.com/argoproj/argo-cd/security/advisories
- Nuxt advisories: https://github.com/nuxt/nuxt/security/advisories
- Gotenberg advisories: https://github.com/gotenberg/gotenberg/security/advisories
- HAXcms / HAX advisories: https://github.com/haxtheweb/issues/security/advisories
- Algernon advisories: https://github.com/xyproto/algernon/security/advisories
- Scriban advisories: https://github.com/scriban/scriban/security/advisories
- Nginx-UI advisories/source: https://github.com/0xJacky/nginx-ui/security/advisories and https://github.com/0xJacky/nginx-ui
- OpenSearch JavaScript client advisories: https://github.com/opensearch-project/opensearch-js/security/advisories
- Python idna advisories: https://github.com/kjd/idna/security/advisories
- ApostropheCMS advisories: https://github.com/apostrophecms/apostrophe/security/advisories
- Weblate advisories: https://github.com/WeblateOrg/weblate/security/advisories
- Typebot advisories: https://github.com/baptisteArno/typebot.io/security/advisories
- XWiki advisories: https://github.com/xwiki/xwiki-commons/security/advisories
- CryptPad advisories: https://github.com/cryptpad/cryptpad/security/advisories
- XWiki Platform advisories: https://github.com/xwiki/xwiki-platform/security/advisories
- Yeoman environment advisories: https://github.com/yeoman/environment/security/advisories
- Fedify advisories: https://github.com/fedify-dev/fedify/security/advisories
- Yamcs advisories: https://github.com/yamcs/yamcs/security/advisories
- FUXA advisories: https://github.com/frangoteam/FUXA/security/advisories
- Kirby CMS advisories: https://github.com/getkirby/kirby/security/advisories
- Kata Containers advisories: https://github.com/kata-containers/kata-containers/security/advisories
- CarrierWave advisories: https://github.com/carrierwaveuploader/carrierwave/security/advisories
- LiquidJS advisories: https://github.com/harttle/liquidjs/security/advisories
- LiteSpeed cPanel plugin security updates: https://blog.litespeedtech.com/
- Apache Tomcat security advisories: https://tomcat.apache.org/security.html
- ImageMagick security policy and releases: https://imagemagick.org/script/security-policy.php
- NiceGUI advisories: https://github.com/zauberzeug/nicegui/security/advisories
- HAPI FHIR project: https://github.com/hapifhir/hapi-fhir
- PyTorch Lightning project: https://github.com/Lightning-AI/pytorch-lightning
- Snorkel project: https://github.com/snorkel-team/snorkel
- PySyft project: https://github.com/OpenMined/PySyft
- .NET security advisories: https://github.com/dotnet/announcements/issues
- ASP.NET Core security advisories: https://github.com/dotnet/aspnetcore/security/advisories
- ws WebSocket advisories: https://github.com/websockets/ws/security/advisories
- AVideo advisories: https://github.com/WWBN/AVideo/security/advisories
- pgAdmin security advisories: https://www.pgadmin.org/support/security/
- Faraday project security advisories: https://github.com/lostisland/faraday/security/advisories
- Docling project and advisories: https://github.com/docling-project/docling and https://github.com/docling-project/docling/security/advisories
- Jupyter Enterprise Gateway advisories: https://github.com/jupyter-server/enterprise_gateway/security/advisories
- browserstack-runner advisories: https://github.com/browserstack/browserstack-runner/security/advisories
- AIOHTTP advisories: https://github.com/aio-libs/aiohttp/security/advisories
- ModelScope advisories/project: https://github.com/modelscope/modelscope/security/advisories and https://github.com/modelscope/modelscope
- Neotoma project: https://github.com/NeotomaDB/neotoma
- Trail of Bits Blog: https://blog.trailofbits.com/ (RSS: https://blog.trailofbits.com/feed/)
- Trail of Bits skill-distribution scanner-bypass research: https://blog.trailofbits.com/2026/06/03/the-sorry-state-of-skill-distribution/
- PortSwigger Research: https://portswigger.net/research (RSS: https://portswigger.net/research/rss)
- Hacktron AI Blog: https://www.hacktron.ai/blog/
- ProjectDiscovery Blog: https://projectdiscovery.io/blog/
- Brutecat Security articles: https://brutecat.com/articles/ (RSS: https://brutecat.com/rss.xml)
- pretix advisories and releases: https://github.com/pretix/pretix/security/advisories and https://pretix.eu/about/en/blog/
- ProjectDiscovery Neo: https://neo.projectdiscovery.io/
- ProjectDiscovery Neo black-box DAST benchmark notes: https://projectdiscovery.io/blog/neo-black-box-dast-capabilities
- Argus validation benchmarks: https://github.com/pensarai/argus-validation-benchmarks
- XBOW validation benchmarks: https://github.com/xbow-engineering/validation-benchmarks
- Caddy security advisories: https://github.com/caddyserver/caddy/security/advisories
- Spring AI MCP Security: https://github.com/spring-ai-community/mcp-security
- webpack-dev-server advisories: https://github.com/webpack/webpack-dev-server/security/advisories
- eduMFA advisories: https://github.com/eduMFA/eduMFA/security/advisories
- Statamic CMS security advisories: https://github.com/statamic/cms/security/advisories
- MLflow security advisories: https://github.com/mlflow/mlflow/security/advisories
- Magick.NET/ImageMagick advisories: https://github.com/dlemstra/Magick.NET/security/advisories
- flash-attention project: https://github.com/Dao-AILab/flash-attention
- Zebra security advisories: https://github.com/ZcashFoundation/zebra/security/advisories
- dynoxide project/advisories: https://github.com/wojciech-graj/dynoxide/security/advisories
- Dozzle project/advisories: https://github.com/amir20/dozzle/security/advisories
- Erlang cowlib advisories: https://github.com/ninenines/cowlib/security/advisories
- LibreNMS advisories: https://github.com/librenms/librenms/security/advisories
- CI4MS advisories: https://github.com/ci4-cms-erp/ci4ms/security/advisories
- OpenTelemetry eBPF Instrumentation advisories: https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories
- Mistral AI package advisories: https://github.com/mistralai/client-python/security/advisories
- Spring AI advisories: https://github.com/spring-projects/spring-ai/security/advisories
- Docker/Moby security advisories: https://github.com/moby/moby/security/advisories
- Budibase advisories: https://github.com/Budibase/budibase/security/advisories
- n8n-MCP advisories: https://github.com/czlonkowski/n8n-mcp/security/advisories
- multiparty advisories: https://github.com/pillarjs/multiparty/security/advisories
- Coder advisories: https://github.com/coder/coder/security/advisories
- 9router advisories/source: https://github.com/advisories?query=9router and https://github.com/9router/9router
- Kong Ingress Controller advisories: https://github.com/Kong/kubernetes-ingress-controller/security/advisories
- Bandit advisories: https://github.com/mtrudel/bandit/security/advisories
- Cowboy advisories: https://github.com/ninenines/cowboy/security/advisories
- MCP Gateway advisories: https://github.com/IBM/mcp-context-forge/security/advisories
- MCP Atlassian advisories/source: https://github.com/sooperset/mcp-atlassian/security/advisories and https://github.com/sooperset/mcp-atlassian
- SQLFluff advisories: https://github.com/sqlfluff/sqlfluff/security/advisories
- libp2p JavaScript advisories: https://github.com/libp2p/js-libp2p/security/advisories
- Kopia advisories: https://github.com/kopia/kopia/security/advisories
- Angular security advisories: https://github.com/angular/angular/security/advisories
- Caddy Defender advisories: https://github.com/JasonLovesDoggo/caddy-defender/security/advisories
- Nautobot security advisories: https://github.com/nautobot/nautobot/security/advisories
- Gradio advisories: https://github.com/gradio-app/gradio/security/advisories
- Anchor framework advisories: https://github.com/coral-xyz/anchor/security/advisories
- Keycloak security advisories: https://github.com/keycloak/keycloak/security/advisories
- Eclipse Jetty security advisories: https://github.com/jetty/jetty.project/security/advisories
- Axios advisories: https://github.com/axios/axios/security/advisories
- Froxlor advisories: https://github.com/froxlor/Froxlor/security/advisories
- GitHub CLI advisories: https://github.com/cli/cli/security/advisories
- seroval advisories: https://github.com/lxsmnsyc/seroval/security/advisories
- Databento DBN advisories: https://github.com/databento/dbn/security/advisories
- Rclone advisories: https://github.com/rclone/rclone/security/advisories
- Mako advisories: https://github.com/sqlalchemy/mako/security/advisories
- Faraday advisories: https://github.com/lostisland/faraday/security/advisories
- pm2 advisories: https://github.com/Unitech/pm2/security/advisories
- Palo Alto Networks security advisories: https://security.paloaltonetworks.com/
- phpMyFAQ advisories: https://github.com/thorsten/phpMyFAQ/security/advisories
- NocoDB advisories: https://github.com/nocodb/nocodb/security/advisories
- MCP Server Kubernetes advisories: https://github.com/Flux159/mcp-server-kubernetes/security/advisories
- FlaskBB advisories: https://github.com/flaskbb/flaskbb/security/advisories
- Knp Snappy advisories: https://github.com/KnpLabs/snappy/security/advisories
- Flowise advisories: https://github.com/FlowiseAI/Flowise/security/advisories
- wger advisories: https://github.com/wger-project/wger/security/advisories
- setup-php advisories: https://github.com/shivammathur/setup-php/security/advisories
- Hugging Face Diffusers advisories: https://github.com/huggingface/diffusers/security/advisories
- OpenTofu advisories: https://github.com/opentofu/opentofu/security/advisories
- Plug advisories: https://github.com/elixir-plug/plug/security/advisories
- Craft CMS security advisories: https://github.com/craftcms/cms/security/advisories
- MCP Registry advisories: https://github.com/modelcontextprotocol/registry/security/advisories
- Hono advisories: https://github.com/honojs/hono/security/advisories
- Nhost advisories: https://github.com/nhost/nhost/security/advisories
- Singularity advisories: https://github.com/sylabs/singularity/security/advisories
- AVideo advisories: https://github.com/WWBN/AVideo/security/advisories
- OpenMeter advisories: https://github.com/openmeterio/openmeter/security/advisories
- Spree advisories: https://github.com/spree/spree/security/advisories
- Gogs advisories/source: https://github.com/gogs/gogs/security/advisories and https://github.com/gogs/gogs
- OpenCTI advisories/source: https://github.com/OpenCTI-Platform/opencti/security/advisories and https://github.com/OpenCTI-Platform/opencti
- motionEye advisories/source: https://github.com/motioneye-project/motioneye/security/advisories and https://github.com/motioneye-project/motioneye
- Paymenter advisories/source: https://github.com/Paymenter/Paymenter/security/advisories and https://github.com/Paymenter/Paymenter
- n8n advisories/source: https://github.com/n8n-io/n8n/security/advisories and https://github.com/n8n-io/n8n
- Sigstore Fulcio advisories/source: https://github.com/sigstore/fulcio/security/advisories and https://github.com/sigstore/fulcio
- CefSharp advisories/source: https://github.com/cefsharp/CefSharp/security/advisories and https://github.com/cefsharp/CefSharp
- AdonisJS bodyparser advisories/source: https://github.com/adonisjs/bodyparser/security/advisories and https://github.com/adonisjs/bodyparser
- Oban Web advisories/source: https://github.com/oban-bg/oban/security/advisories and https://github.com/oban-bg/oban
- Probo advisories/source: https://github.com/probo/probo/security/advisories and https://github.com/probo/probo
- ORAS Go advisories/source: https://github.com/oras-project/oras-go/security/advisories and https://github.com/oras-project/oras-go
- Ghost security advisories/source: https://github.com/TryGhost/Ghost/security/advisories and https://github.com/TryGhost/Ghost
- goshs advisories/source: https://github.com/patrickhener/goshs/security/advisories and https://github.com/patrickhener/goshs
- Apache Ignite advisories/source: https://ignite.apache.org/security.html and https://github.com/apache/ignite
- OnGres SCRAM project: https://github.com/ongres/scram
- oasdiff advisories/source: https://github.com/oasdiff/oasdiff/security/advisories and https://github.com/oasdiff/oasdiff
- KEDA advisories/source: https://github.com/kedacore/keda/security/advisories and https://github.com/kedacore/keda
- Goploy advisories/source: https://github.com/zhenorzz/goploy/security/advisories and https://github.com/zhenorzz/goploy
- ha-mcp advisories/source: https://github.com/homeassistant-ai/ha-mcp/security/advisories and https://github.com/homeassistant-ai/ha-mcp
- aiosmtplib advisories/source: https://github.com/cole/aiosmtplib/security/advisories and https://github.com/cole/aiosmtplib
- Kite advisories/source: https://github.com/zxh326/kite/security/advisories and https://github.com/zxh326/kite
- Apache Fesod advisories/source: https://github.com/apache/fesod/security/advisories and https://github.com/apache/fesod
- Kimai advisories/source: https://github.com/kimai/kimai/security/advisories and https://github.com/kimai/kimai
Network and service discovery¶
- Nmap reference: https://nmap.org/book/man.html
- Nmap NSE reference: https://nmap.org/nsedoc/
- ProjectDiscovery httpx: https://github.com/projectdiscovery/httpx
DNS and subdomain enumeration¶
- OWASP Amass: https://github.com/owasp-amass/amass
- Subfinder: https://github.com/projectdiscovery/subfinder
- PureDNS: https://github.com/d3mondev/puredns
- MassDNS: https://github.com/blechschmidt/massdns
- Gobuster: https://github.com/OJ/gobuster
Maintenance rules¶
- Prefer official documentation, source repos, vendor advisories, and primary project docs.
- Only convert advisory/news items into wiki content when they produce an offensive testing skill, replayable validation workflow, recon heuristic, or exploit-path lesson for authorized work.
- Add a source here when a new skill depends on it repeatedly.
- Remove links that stop being canonical.