Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,972
Erlang
29
GitHub Actions
16
Go
1,762
Maven
4,983
npm
3,518
NuGet
609
pip
3,094
Pub
10
RubyGems
833
Rust
782
Swift
34
Unreviewed advisories
All unreviewed
5,000+

181 advisories

Loading
Squalor SQL Injection vulnerability Critical
CVE-2020-36645 was published for github.com/square/squalor (Go) Jan 7, 2023
Alist vulnerable to Path Traversal Critical
CVE-2022-45969 was published for github.com/alist-org/alist/v3 (Go) Dec 16, 2022
Vela Insecure Defaults Critical
CVE-2022-39395 was published for github.com/go-vela/server (Go) Nov 9, 2022
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys Critical
CVE-2023-22463 was published for github.com/KubeOperator/kubepi (Go) Jan 6, 2023
Gin-vue-admin subject to Remote Code Execution via file upload vulnerability Critical
CVE-2022-39345 was published for github.com/flipped-aurora/gin-vue-admin/server (Go) Oct 25, 2022
0xngs
HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0 Critical
CVE-2021-38553 was published for github.com/hashicorp/vault (Go) Aug 30, 2021
avivdolev
Gitea vulnerable to Argument Injection Critical
CVE-2022-42968 was published for github.com/go-gitea/gitea (Go) Oct 16, 2022
Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials Critical
CVE-2021-36782 was published for github.com/rancher/rancher (Go) Sep 23, 2022
Improper path handling in kustomization files allows path traversal Critical
CVE-2022-24877 was published for github.com/fluxcd/flux2 (Go) May 4, 2022
hiddeco kurt-r2c
Path Traversal in Dutchcoders transfer.sh Critical
CVE-2021-33497 was published for github.com/dutchcoders/transfer.sh (Go) Jun 29, 2021
Authentication Bypass in tyk-identity-broker Critical
CVE-2021-23365 was published for github.com/tyktechnologies/tyk-identity-broker (Go) Jun 23, 2021
Git LFS can execute a Git binary from the current directory Critical
CVE-2020-27955 was published for github.com/git-lfs/git-lfs (Go) Feb 11, 2022
dawidgolunski
Authentication Bypass in dex Critical
CVE-2020-27847 was published for github.com/dexidp/dex (Go) Dec 20, 2021
Gogs vulnerable to Cross-site Scripting Critical
CVE-2022-32174 was published for gogs.io/gogs (Go) Oct 11, 2022
Improper kubeconfig validation allows arbitrary code execution Critical
CVE-2022-24817 was published for github.com/fluxcd/flux2 (Go) May 16, 2022
pjbgf
HashiCorp Vault vulnerable to incorrect metadata access Critical
CVE-2022-40186 was published for github.com/hashicorp/vault (Go) Sep 23, 2022
golang-nanoauth authentication bypass vulnerability Critical
CVE-2020-36569 was published for github.com/nanobox-io/golang-nanoauth (Go) Dec 28, 2022
andrewpollock
usememos/memos vulnerable to Cross-site Scripting Critical
CVE-2022-4866 was published for github.com/usememos/memos (Go) Dec 31, 2022
gorilla/handlers may allow requester to bypass expected behavior of the Same Origin Policy Critical
CVE-2017-20146 was published for github.com/gorilla/handlers (Go) Dec 28, 2022
usememos/memos Cross-site Scripting vulnerability Critical
CVE-2022-4865 was published for github.com/usememos/memos (Go) Dec 31, 2022
TiDB vulnerable to Use of Externally-Controlled Format String Critical
CVE-2022-3023 was published for github.com/pingcap/tidb (Go) Nov 4, 2022
dwisiswant0
Off-by-one Error in v2fly/v2ray-core Critical
CVE-2021-4070 was published for github.com/v2fly/v2ray-core (Go) Feb 24, 2022
Authorization bypass in Openshift Critical
CVE-2016-1906 was published for github.com/openshift/origin (Go) Dec 20, 2021
JWT audience claim is not verified Critical
CVE-2023-22482 was published for github.com/argoproj/argo-cd (Go) Jan 25, 2023
farcaller
crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication Critical
CVE-2022-41912 was published for github.com/crewjam/saml (Go) Nov 29, 2022
ProTip! Advisories are also available from the GraphQL API