Skip to content

Source index

Maintain this as the seed list of official or primary sources for the tool families documented here. Use these sources to discover offensive operator guidance for authorized testing, not blue-team alerting or defensive SecOps runbooks.

Application security research

  • GitHub Security Advisories: https://github.com/advisories
  • arnika advisories: https://github.com/arnika-project/arnika/security/advisories
  • PraisonAI advisories: https://github.com/MervinPraison/PraisonAI/security/advisories
  • Formie advisories: https://github.com/verbb/formie/security/advisories
  • authentik advisories: https://github.com/goauthentik/authentik/security/advisories
  • CC-Tweaked advisories: https://github.com/cc-tweaked/CC-Tweaked/security/advisories
  • Keras advisories: https://github.com/keras-team/keras/security/advisories
  • Admidio advisories: https://github.com/Admidio/admidio/security/advisories
  • OpenC3 COSMOS advisories: https://github.com/OpenC3/cosmos/security/advisories
  • YARD advisories: https://github.com/lsegal/yard/security/advisories
  • Ouroboros advisories: https://github.com/Q00/ouroboros/security/advisories
  • Stigmem advisories: https://github.com/eidetic-labs/stigmem/security/advisories
  • Koel advisories: https://github.com/koel/koel/security/advisories
  • Summarize advisories: https://github.com/steipete/summarize/security/advisories and https://www.vulncheck.com/advisories/
  • Amazon Redshift Python driver advisories: https://github.com/aws/amazon-redshift-python-driver/security/advisories
  • uv advisories: https://github.com/astral-sh/uv/security/advisories
  • russh advisories: https://github.com/Eugeny/russh/security/advisories
  • AgenticMail advisories: https://github.com/agenticmail/agenticmail/security/advisories
  • tar-rs advisories: https://github.com/composefs/tar-rs/security/advisories
  • Parse Server advisories: https://github.com/parse-community/parse-server/security/advisories
  • Palo Alto Networks PAN-OS advisories: https://security.paloaltonetworks.com/
  • vm2 advisories: https://github.com/patriksimek/vm2/security/advisories
  • SGLang advisories: https://github.com/sgl-project/sglang/security/advisories
  • ChromaDB advisories and research: https://github.com/chroma-core/chroma/security/advisories and https://www.hiddenlayer.com/research/chromatoast-served-pre-auth
  • ngrok npm wrapper advisory reference: https://gist.github.com/Dremig/90c2a0a2f85b0921f10e0bb3192a0c23
  • astral-tokio-tar advisories: https://github.com/astral-sh/tokio-tar/security/advisories
  • eZ Publish Legacy security advisories/labs: https://github.com/ezsystems/ezpublish-legacy/security/advisories and https://github.com/Goaterino/ezpublish-legacy-lab
  • Cluster API Provider Metal3 advisories: https://github.com/metal3-io/cluster-api-provider-metal3/security/advisories
  • python-tuf advisories: https://github.com/theupdateframework/python-tuf/security/advisories
  • Dulwich advisories: https://github.com/dulwich/dulwich/security/advisories
  • nono advisories: https://github.com/always-further/nono/security/advisories
  • local-deep-research advisories: https://github.com/LearningCircuit/local-deep-research/security/advisories
  • shamefile advisories: https://github.com/BKDDFS/shamefile/security/advisories
  • Symfony polyfill advisories: https://github.com/symfony/polyfill/security/advisories
  • mem0 advisories: https://github.com/mem0ai/mem0/security/advisories
  • compliance-trestle advisories: https://github.com/oscal-compass/compliance-trestle/security/advisories
  • Flask-HTTPAuth advisories: https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories
  • league/commonmark advisories: https://github.com/thephpleague/commonmark/security/advisories
  • mamba / mamba-ssm advisories: https://github.com/state-spaces/mamba/security/advisories
  • Guardrails AI advisories: https://github.com/guardrails-ai/guardrails/security/advisories
  • Horovod project advisories: https://github.com/horovod/horovod/security/advisories
  • AsyncSSH advisories: https://github.com/ronf/asyncssh/security/advisories
  • Automad advisories: https://github.com/marcantondahmen/automad/security/advisories
  • Hapi content advisories: https://github.com/hapijs/content/security/advisories
  • Hapi wreck advisories: https://github.com/hapijs/wreck/security/advisories
  • Pimcore advisories: https://github.com/pimcore/pimcore/security/advisories
  • Symfony routing advisories: https://github.com/symfony/symfony/security/advisories
  • Symfony security-http advisories: https://github.com/symfony/symfony/security/advisories
  • Symfony HtmlSanitizer advisories: https://github.com/symfony/symfony/security/advisories
  • Capsule / Project Capsule advisories: https://github.com/projectcapsule/capsule/security/advisories
  • Symfony MonologBridge advisories: https://github.com/symfony/symfony/security/advisories
  • Symfony Cache advisories: https://github.com/symfony/symfony/security/advisories
  • Symfony Mailer advisories: https://github.com/symfony/symfony/security/advisories
  • Symfony Mime advisories: https://github.com/symfony/symfony/security/advisories
  • Symfony DomCrawler advisories: https://github.com/symfony/symfony/security/advisories
  • CrowdSec advisories: https://github.com/crowdsecurity/crowdsec/security/advisories
  • Deno advisories: https://github.com/denoland/deno/security/advisories
  • Langroid advisories: https://github.com/langroid/langroid/security/advisories
  • tmp / node-tmp advisories: https://github.com/raszi/node-tmp/security/advisories
  • Nezha Monitoring advisories: https://github.com/nezhahq/nezha/security/advisories
  • Arcane advisories: https://github.com/getarcaneapp/arcane/security/advisories
  • AstrBot advisories: https://github.com/AstrBotDevs/AstrBot/security/advisories
  • Beetl project issues/advisories: https://gitee.com/xiandafu/beetl/issues
  • instagrapi advisories: https://github.com/subzeroid/instagrapi/security/advisories
  • aiograpi advisories: https://github.com/subzeroid/aiograpi/security/advisories
  • Flask-Security advisories: https://github.com/pallets-eco/flask-security/security/advisories
  • FileBrowser Quantum advisories: https://github.com/gtsteffaniak/filebrowser/security/advisories
  • Drupal core security advisories: https://www.drupal.org/security
  • Prefect security advisories: https://github.com/PrefectHQ/prefect/security/advisories
  • Apache Camel security advisories: https://camel.apache.org/security/
  • Apache Airflow security advisories: https://github.com/apache/airflow/security/advisories
  • Fission security advisories: https://github.com/fission/fission/security/advisories
  • Boxlite security advisories: https://github.com/rapiz1/boxlite/security/advisories
  • containerd security advisories: https://github.com/containerd/containerd/security/advisories
  • Pydantic AI security advisories: https://github.com/pydantic/pydantic-ai/security/advisories
  • SQLAdmin security advisories: https://github.com/aminalaee/sqladmin/security/advisories
  • Twig security advisories: https://github.com/twigphp/Twig/security/advisories
  • Tekton Pipelines security advisories: https://github.com/tektoncd/pipeline/security/advisories
  • Apache Flink security advisories: https://flink.apache.org/what-is-flink/security/
  • YesWiki security advisories: https://github.com/YesWiki/yeswiki/security/advisories
  • Network-AI security advisories: https://github.com/Jovancoding/Network-AI/security/advisories
  • JavaScript Cookie security advisories: https://github.com/js-cookie/js-cookie/security/advisories
  • pyload-ng security advisories: https://github.com/pyload/pyload/security/advisories
  • Crawlee security advisories: https://github.com/apify/crawlee-python/security/advisories
  • Crabbox security advisories: https://github.com/openclaw/crabbox/security/advisories
  • Langflow security advisories: https://github.com/langflow-ai/langflow/security/advisories
  • samlify advisories: https://github.com/tngan/samlify/security/advisories
  • Windows-MCP advisories: https://github.com/CursorTouch/Windows-MCP/security/advisories
  • OpenMetadata advisories: https://github.com/open-metadata/OpenMetadata/security/advisories
  • sanitize-html advisories: https://github.com/apostrophecms/sanitize-html/security/advisories
  • SvelteKit advisories: https://github.com/sveltejs/kit/security/advisories
  • md-fileserver advisories: https://github.com/commenthol/md-fileserver/security/advisories
  • Amazon SageMaker Python SDK advisories: https://github.com/aws/sagemaker-python-sdk/security/advisories
  • LMDeploy advisories: https://github.com/InternLM/lmdeploy/security/advisories
  • pip security advisories: https://github.com/pypa/pip/security/advisories
  • OpenClaude advisories: https://github.com/Gitlawb/openclaude/security/advisories
  • TeleJSON advisories: https://github.com/storybookjs/telejson/security/advisories
  • Apify MCP server advisories: https://github.com/apify/actors-mcp-server/security/advisories
  • protobufjs advisories: https://github.com/protobufjs/protobuf.js/security/advisories
  • Open WebUI advisories: https://github.com/open-webui/open-webui/security/advisories
  • OpenClaw advisories: https://github.com/openclaw/openclaw/security/advisories
  • HashiCorp Nomad advisories: https://github.com/hashicorp/nomad/security/advisories
  • go-git advisories: https://github.com/go-git/go-git/security/advisories
  • zrok advisories: https://github.com/openziti/zrok/security/advisories
  • Mailpit advisories: https://github.com/axllent/mailpit/security/advisories
  • Argo CD advisories: https://github.com/argoproj/argo-cd/security/advisories
  • Nuxt advisories: https://github.com/nuxt/nuxt/security/advisories
  • Gotenberg advisories: https://github.com/gotenberg/gotenberg/security/advisories
  • HAXcms / HAX advisories: https://github.com/haxtheweb/issues/security/advisories
  • Algernon advisories: https://github.com/xyproto/algernon/security/advisories
  • Scriban advisories: https://github.com/scriban/scriban/security/advisories
  • OpenSearch JavaScript client advisories: https://github.com/opensearch-project/opensearch-js/security/advisories
  • Python idna advisories: https://github.com/kjd/idna/security/advisories
  • ApostropheCMS advisories: https://github.com/apostrophecms/apostrophe/security/advisories
  • Weblate advisories: https://github.com/WeblateOrg/weblate/security/advisories
  • Typebot advisories: https://github.com/baptisteArno/typebot.io/security/advisories
  • XWiki advisories: https://github.com/xwiki/xwiki-commons/security/advisories
  • CryptPad advisories: https://github.com/cryptpad/cryptpad/security/advisories
  • XWiki Platform advisories: https://github.com/xwiki/xwiki-platform/security/advisories
  • Yeoman environment advisories: https://github.com/yeoman/environment/security/advisories
  • Fedify advisories: https://github.com/fedify-dev/fedify/security/advisories
  • Yamcs advisories: https://github.com/yamcs/yamcs/security/advisories
  • FUXA advisories: https://github.com/frangoteam/FUXA/security/advisories
  • Kirby CMS advisories: https://github.com/getkirby/kirby/security/advisories
  • Kata Containers advisories: https://github.com/kata-containers/kata-containers/security/advisories
  • CarrierWave advisories: https://github.com/carrierwaveuploader/carrierwave/security/advisories
  • LiquidJS advisories: https://github.com/harttle/liquidjs/security/advisories
  • LiteSpeed cPanel plugin security updates: https://blog.litespeedtech.com/
  • Apache Tomcat security advisories: https://tomcat.apache.org/security.html
  • ImageMagick security policy and releases: https://imagemagick.org/script/security-policy.php
  • NiceGUI advisories: https://github.com/zauberzeug/nicegui/security/advisories
  • HAPI FHIR project: https://github.com/hapifhir/hapi-fhir
  • PyTorch Lightning project: https://github.com/Lightning-AI/pytorch-lightning
  • Snorkel project: https://github.com/snorkel-team/snorkel
  • PySyft project: https://github.com/OpenMined/PySyft
  • .NET security advisories: https://github.com/dotnet/announcements/issues
  • ASP.NET Core security advisories: https://github.com/dotnet/aspnetcore/security/advisories
  • ws WebSocket advisories: https://github.com/websockets/ws/security/advisories
  • AVideo advisories: https://github.com/WWBN/AVideo/security/advisories
  • pgAdmin security advisories: https://www.pgadmin.org/support/security/
  • Faraday project security advisories: https://github.com/lostisland/faraday/security/advisories
  • Docling project: https://github.com/docling-project/docling
  • Neotoma project: https://github.com/NeotomaDB/neotoma
  • Trail of Bits Blog: https://blog.trailofbits.com/ (RSS: https://blog.trailofbits.com/feed/)
  • Hacktron AI Blog: https://www.hacktron.ai/blog/
  • ProjectDiscovery Blog: https://projectdiscovery.io/blog/
  • ProjectDiscovery Neo: https://neo.projectdiscovery.io/
  • ProjectDiscovery Neo black-box DAST benchmark notes: https://projectdiscovery.io/blog/neo-black-box-dast-capabilities
  • Argus validation benchmarks: https://github.com/pensarai/argus-validation-benchmarks
  • XBOW validation benchmarks: https://github.com/xbow-engineering/validation-benchmarks
  • Caddy security advisories: https://github.com/caddyserver/caddy/security/advisories
  • Spring AI MCP Security: https://github.com/spring-ai-community/mcp-security
  • webpack-dev-server advisories: https://github.com/webpack/webpack-dev-server/security/advisories
  • eduMFA advisories: https://github.com/eduMFA/eduMFA/security/advisories
  • Statamic CMS security advisories: https://github.com/statamic/cms/security/advisories
  • MLflow security advisories: https://github.com/mlflow/mlflow/security/advisories
  • Magick.NET/ImageMagick advisories: https://github.com/dlemstra/Magick.NET/security/advisories
  • flash-attention project: https://github.com/Dao-AILab/flash-attention
  • Zebra security advisories: https://github.com/ZcashFoundation/zebra/security/advisories
  • dynoxide project/advisories: https://github.com/wojciech-graj/dynoxide/security/advisories
  • Dozzle project/advisories: https://github.com/amir20/dozzle/security/advisories
  • Erlang cowlib advisories: https://github.com/ninenines/cowlib/security/advisories
  • LibreNMS advisories: https://github.com/librenms/librenms/security/advisories
  • CI4MS advisories: https://github.com/ci4-cms-erp/ci4ms/security/advisories
  • OpenTelemetry eBPF Instrumentation advisories: https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories
  • Mistral AI package advisories: https://github.com/mistralai/client-python/security/advisories
  • Spring AI advisories: https://github.com/spring-projects/spring-ai/security/advisories
  • Docker/Moby security advisories: https://github.com/moby/moby/security/advisories
  • Budibase advisories: https://github.com/Budibase/budibase/security/advisories
  • n8n-MCP advisories: https://github.com/czlonkowski/n8n-mcp/security/advisories
  • multiparty advisories: https://github.com/pillarjs/multiparty/security/advisories
  • Coder advisories: https://github.com/coder/coder/security/advisories
  • Kong Ingress Controller advisories: https://github.com/Kong/kubernetes-ingress-controller/security/advisories
  • Bandit advisories: https://github.com/mtrudel/bandit/security/advisories
  • Cowboy advisories: https://github.com/ninenines/cowboy/security/advisories
  • MCP Gateway advisories: https://github.com/IBM/mcp-context-forge/security/advisories
  • SQLFluff advisories: https://github.com/sqlfluff/sqlfluff/security/advisories
  • libp2p JavaScript advisories: https://github.com/libp2p/js-libp2p/security/advisories
  • Kopia advisories: https://github.com/kopia/kopia/security/advisories
  • Angular security advisories: https://github.com/angular/angular/security/advisories
  • Caddy Defender advisories: https://github.com/JasonLovesDoggo/caddy-defender/security/advisories
  • Nautobot security advisories: https://github.com/nautobot/nautobot/security/advisories
  • Gradio advisories: https://github.com/gradio-app/gradio/security/advisories
  • Anchor framework advisories: https://github.com/coral-xyz/anchor/security/advisories
  • Keycloak security advisories: https://github.com/keycloak/keycloak/security/advisories
  • Eclipse Jetty security advisories: https://github.com/jetty/jetty.project/security/advisories
  • Axios advisories: https://github.com/axios/axios/security/advisories
  • Froxlor advisories: https://github.com/froxlor/Froxlor/security/advisories
  • GitHub CLI advisories: https://github.com/cli/cli/security/advisories
  • seroval advisories: https://github.com/lxsmnsyc/seroval/security/advisories
  • Databento DBN advisories: https://github.com/databento/dbn/security/advisories
  • Rclone advisories: https://github.com/rclone/rclone/security/advisories
  • Mako advisories: https://github.com/sqlalchemy/mako/security/advisories
  • pm2 advisories: https://github.com/Unitech/pm2/security/advisories
  • Palo Alto Networks security advisories: https://security.paloaltonetworks.com/
  • phpMyFAQ advisories: https://github.com/thorsten/phpMyFAQ/security/advisories
  • NocoDB advisories: https://github.com/nocodb/nocodb/security/advisories
  • MCP Server Kubernetes advisories: https://github.com/Flux159/mcp-server-kubernetes/security/advisories
  • FlaskBB advisories: https://github.com/flaskbb/flaskbb/security/advisories
  • Knp Snappy advisories: https://github.com/KnpLabs/snappy/security/advisories
  • Flowise advisories: https://github.com/FlowiseAI/Flowise/security/advisories
  • wger advisories: https://github.com/wger-project/wger/security/advisories
  • setup-php advisories: https://github.com/shivammathur/setup-php/security/advisories
  • Hugging Face Diffusers advisories: https://github.com/huggingface/diffusers/security/advisories
  • OpenTofu advisories: https://github.com/opentofu/opentofu/security/advisories
  • Plug advisories: https://github.com/elixir-plug/plug/security/advisories
  • Craft CMS security advisories: https://github.com/craftcms/cms/security/advisories

Network and service discovery

  • Nmap reference: https://nmap.org/book/man.html
  • Nmap NSE reference: https://nmap.org/nsedoc/
  • ProjectDiscovery httpx: https://github.com/projectdiscovery/httpx

DNS and subdomain enumeration

  • OWASP Amass: https://github.com/owasp-amass/amass
  • Subfinder: https://github.com/projectdiscovery/subfinder
  • PureDNS: https://github.com/d3mondev/puredns
  • MassDNS: https://github.com/blechschmidt/massdns
  • Gobuster: https://github.com/OJ/gobuster

Maintenance rules

  • Prefer official documentation, source repos, vendor advisories, and primary project docs.
  • Only convert advisory/news items into wiki content when they produce an offensive testing skill, replayable validation workflow, recon heuristic, or exploit-path lesson for authorized work.
  • Add a source here when a new skill depends on it repeatedly.
  • Remove links that stop being canonical.