GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
2,714
Erlang
25
GitHub Actions
15
Go
1,398
Maven
4,495
npm
3,290
NuGet
560
pip
2,360
Pub
8
RubyGems
791
Rust
709
Swift
33
Unreviewed advisories
All unreviewed
5,000+
16,199 advisories
Filter by severity
aiohttp is vulnerable to directory traversal
Moderate
CVE-2024-23334
was published
for
aiohttp
(pip)
Jan 29, 2024
Authentik vulnerable to PKCE downgrade attack
Moderate
CVE-2024-23647
was published
for
goauthentik.io
(Go)
Jan 29, 2024
Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF
High
CVE-2024-23828
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Jan 29, 2024
Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature
Critical
CVE-2024-23827
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Jan 29, 2024
aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
Low
CVE-2024-23829
was published
for
aiohttp
(pip)
Jan 29, 2024
MeshCentral algorithm-downgrade issue
Moderate
CVE-2023-51842
was published
for
meshcentral
(npm)
Jan 29, 2024
Apache Kylin has Insufficiently Protected Credentials
Moderate
CVE-2023-29055
was published
for
org.apache.kylin:kylin-core-common
(Maven)
Jan 29, 2024
OpenFGA denial of service
Moderate
CVE-2024-23820
was published
for
github.com/openfga/openfga
(Go)
Jan 26, 2024
Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
High
CVE-2024-23656
was published
for
github.com/dexidp/dex
(Go)
Jan 26, 2024
Arbitrary Code Execution in Processwire
Critical
CVE-2023-24676
was published
for
processwire/processwire
(Composer)
Jan 24, 2024
Any authenticated user may obtain private message details from other users on the same instance
High
CVE-2024-23649
was published
for
lemmy_server
(Rust)
Jan 24, 2024
Host header injection in the password reset
High
CVE-2024-23648
was published
for
pimcore/admin-ui-classic-bundle
(Composer)
Jan 24, 2024
SQL Injection in Admin download files as zip
High
CVE-2024-23646
was published
for
pimcore/admin-ui-classic-bundle
(Composer)
Jan 24, 2024
Unauthenticated Nonce Increment in snow
Moderate
GHSA-7g9j-g5jg-3vv3
was published
for
snow
(Rust)
Jan 24, 2024
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in trillium-http and trillium-client
Moderate
CVE-2024-23644
was published
for
trillium-client
(Rust)
Jan 24, 2024
Shared projects are unconditionally discovered by Jenkins GitLab Branch Source Plugin
Moderate
CVE-2024-23901
was published
for
io.jenkins.plugins:gitlab-branch-source
(Maven)
Jan 24, 2024
Path traversal vulnerability in Jenkins Matrix Project Plugin
Moderate
CVE-2024-23900
was published
for
org.jenkins-ci.plugins:matrix-project
(Maven)
Jan 24, 2024
Arbitrary file read vulnerability in Git server Plugin can lead to RCE
High
CVE-2024-23899
was published
for
org.jenkins-ci.plugins:git-server
(Maven)
Jan 24, 2024
Non-constant time webhook token comparison in Jenkins GitLab Branch Source Plugin
Low
CVE-2024-23903
was published
for
io.jenkins.plugins:gitlab-branch-source
(Maven)
Jan 24, 2024
CSRF vulnerability in Jenkins GitLab Branch Source Plugin
Moderate
CVE-2024-23902
was published
for
io.jenkins.plugins:gitlab-branch-source
(Maven)
Jan 24, 2024
Cross-site WebSocket hijacking vulnerability in the Jenkins CLI
High
CVE-2024-23898
was published
for
org.jenkins-ci.main:jenkins-core
(Maven)
Jan 24, 2024
Content-Security-Policy disabled by Red Hat Dependency Analytics Jenkins Plugin
High
CVE-2024-23905
was published
for
io.jenkins.plugins:redhat-dependency-analytics
(Maven)
Jan 24, 2024
Arbitrary file read vulnerability in Jenkins Log Command Plugin
High
CVE-2024-23904
was published
for
org.jenkins-ci.plugins:log-command
(Maven)
Jan 24, 2024
Arbitrary file read vulnerability through the Jenkins CLI can lead to RCE
Critical
CVE-2024-23897
was published
for
org.jenkins-ci.main:jenkins-core
(Maven)
Jan 24, 2024
Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service
Low
CVE-2023-51702
was published
for
apache-airflow
(pip)
Jan 24, 2024
ProTip!
Advisories are also available from the
GraphQL API