GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,988
Erlang
29
GitHub Actions
16
Go
1,776
Maven
5,000+
npm
3,542
NuGet
617
pip
3,125
Pub
10
RubyGems
838
Rust
790
Swift
34
Unreviewed advisories
All unreviewed
5,000+
19,536 advisories
Filter by severity
ProcessWire Cross Site Request Forgery vulnerability
Moderate
CVE-2024-41597
was published
for
processwire/processwire
(Composer)
Jul 19, 2024
Calibre-Web Cross Site Scripting (XSS)
Moderate
CVE-2024-39123
was published
for
calibreweb
(pip)
Jul 19, 2024
Automad arbitrary file upload vulnerability
High
CVE-2024-40400
was published
for
automad/automad
(Composer)
Jul 19, 2024
Craft CMS SQL injection vulnerability via the GraphQL API endpoint
Critical
CVE-2024-37843
was published
for
craftcms/cms
(Composer)
Jun 25, 2024
Improper Output Neutralization for Logs in Spring Framework
Moderate
CVE-2021-22096
was published
for
org.springframework:spring
(Maven)
May 24, 2022
lunary-ai/lunary XSS in SAML metadata endpoint
High
CVE-2024-5478
was published
for
lunary
(npm)
Jun 6, 2024
[PUNCIA] [CWE-319] Cleartext Transmission of Sensitive Information via HTTP urls in `API_URLS`
Low
CVE-2024-41124
was published
for
puncia
(pip)
Jul 19, 2024
Woodpecker's custom workspace allow to overwrite plugin entrypoint executable
High
CVE-2024-41121
was published
for
go.woodpecker-ci.org/woodpecker
(Go)
Jul 19, 2024
Woodpecker's custom environment variables allow to alter execution flow of plugins
High
CVE-2024-41122
was published
for
go.woodpecker-ci.org/woodpecker
(Go)
Jul 19, 2024
dbt has an implicit override for built-in materializations from installed packages
Moderate
CVE-2024-40637
was published
for
dbt-core
(pip)
Jul 17, 2024
Apache Airflow Potential Cross-site Scripting Vulnerability
Moderate
CVE-2024-39863
was published
for
apache-airflow
(pip)
Jul 17, 2024
Apache CXF allows unrestricted memory consumption in CXF HTTP clients
Low
CVE-2024-41172
was published
for
org.apache.cxf:cxf-rt-transports-http
(Maven)
Jul 19, 2024
Apache CXF Denial of Service vulnerability in JOSE
Moderate
CVE-2024-32007
was published
for
org.apache.cxf:cxf-rt-rs-security-jose
(Maven)
Jul 19, 2024
Apache CXF: SSRF vulnerability via WADL stylesheet parameter
High
CVE-2024-29736
was published
for
org.apache.cxf:cxf-rt-rs-service-description
(Maven)
Jul 19, 2024
Withdrawn Advisory: Insufficient Granularity of Access Control in JSDom
Low
CVE-2021-20066
was published
for
jsdom
(npm)
May 24, 2022
•
withdrawn
Skupper uses a static cookie secret for the openshift oauth-proxy
Moderate
CVE-2024-6535
was published
for
github.com/skupperproject/skupper
(Go)
Jul 17, 2024
gRPC-Go HTTP/2 Rapid Reset vulnerability
High
GHSA-m425-mq94-257g
was published
for
google.golang.org/grpc
(Go)
Oct 25, 2023
Improper Input Validation in Datomic
High
CVE-2018-10054
was published
for
com.datomic:datomic-free
(Maven)
May 13, 2022
matrix-sdk-crypto's `UserIdentity::is_verified` not checking verification status of own user identity while performing the check
Moderate
CVE-2024-40648
was published
for
matrix-sdk-crypto
(Rust)
Jul 18, 2024
Hugo Markdown titles do not escaped in internal render hooks
Moderate
CVE-2024-32875
was published
for
github.com/gohugoio/hugo
(Go)
Apr 23, 2024
LibOSDP RMAC revert to the beginning of the session
Moderate
GHSA-xhjw-7vh5-qxqm
was published
for
libosdp
(pip)
Mar 8, 2024
TorchServe vulnerable to bypass of allowed_urls configuration
Moderate
CVE-2024-35198
was published
for
torchserve
(pip)
Jul 18, 2024
Absent Input Validation in BinaryHttpParser
High
CVE-2024-40642
was published
for
io.netty.incubator:netty-incubator-codec-bhttp
(Maven)
Jul 18, 2024
ProTip!
Advisories are also available from the
GraphQL API