GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,972
Erlang
29
GitHub Actions
16
Go
1,762
Maven
4,983
npm
3,518
NuGet
609
pip
3,094
Pub
10
RubyGems
833
Rust
782
Swift
34
Unreviewed advisories
All unreviewed
5,000+
181 advisories
Filter by severity
Squalor SQL Injection vulnerability
Critical
CVE-2020-36645
was published
for
github.com/square/squalor
(Go)
Jan 7, 2023
Alist vulnerable to Path Traversal
Critical
CVE-2022-45969
was published
for
github.com/alist-org/alist/v3
(Go)
Dec 16, 2022
Vela Insecure Defaults
Critical
CVE-2022-39395
was published
for
github.com/go-vela/server
(Go)
Nov 9, 2022
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys
Critical
CVE-2023-22463
was published
for
github.com/KubeOperator/kubepi
(Go)
Jan 6, 2023
Gin-vue-admin subject to Remote Code Execution via file upload vulnerability
Critical
CVE-2022-39345
was published
for
github.com/flipped-aurora/gin-vue-admin/server
(Go)
Oct 25, 2022
HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0
Critical
CVE-2021-38553
was published
for
github.com/hashicorp/vault
(Go)
Aug 30, 2021
Gitea vulnerable to Argument Injection
Critical
CVE-2022-42968
was published
for
github.com/go-gitea/gitea
(Go)
Oct 16, 2022
Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
Critical
CVE-2021-36782
was published
for
github.com/rancher/rancher
(Go)
Sep 23, 2022
Improper path handling in kustomization files allows path traversal
Critical
CVE-2022-24877
was published
for
github.com/fluxcd/flux2
(Go)
May 4, 2022
Path Traversal in Dutchcoders transfer.sh
Critical
CVE-2021-33497
was published
for
github.com/dutchcoders/transfer.sh
(Go)
Jun 29, 2021
Authentication Bypass in tyk-identity-broker
Critical
CVE-2021-23365
was published
for
github.com/tyktechnologies/tyk-identity-broker
(Go)
Jun 23, 2021
Git LFS can execute a Git binary from the current directory
Critical
CVE-2020-27955
was published
for
github.com/git-lfs/git-lfs
(Go)
Feb 11, 2022
Authentication Bypass in dex
Critical
CVE-2020-27847
was published
for
github.com/dexidp/dex
(Go)
Dec 20, 2021
Gogs vulnerable to Cross-site Scripting
Critical
CVE-2022-32174
was published
for
gogs.io/gogs
(Go)
Oct 11, 2022
Improper kubeconfig validation allows arbitrary code execution
Critical
CVE-2022-24817
was published
for
github.com/fluxcd/flux2
(Go)
May 16, 2022
HashiCorp Vault vulnerable to incorrect metadata access
Critical
CVE-2022-40186
was published
for
github.com/hashicorp/vault
(Go)
Sep 23, 2022
golang-nanoauth authentication bypass vulnerability
Critical
CVE-2020-36569
was published
for
github.com/nanobox-io/golang-nanoauth
(Go)
Dec 28, 2022
usememos/memos vulnerable to Cross-site Scripting
Critical
CVE-2022-4866
was published
for
github.com/usememos/memos
(Go)
Dec 31, 2022
gorilla/handlers may allow requester to bypass expected behavior of the Same Origin Policy
Critical
CVE-2017-20146
was published
for
github.com/gorilla/handlers
(Go)
Dec 28, 2022
usememos/memos Cross-site Scripting vulnerability
Critical
CVE-2022-4865
was published
for
github.com/usememos/memos
(Go)
Dec 31, 2022
TiDB vulnerable to Use of Externally-Controlled Format String
Critical
CVE-2022-3023
was published
for
github.com/pingcap/tidb
(Go)
Nov 4, 2022
Off-by-one Error in v2fly/v2ray-core
Critical
CVE-2021-4070
was published
for
github.com/v2fly/v2ray-core
(Go)
Feb 24, 2022
Authorization bypass in Openshift
Critical
CVE-2016-1906
was published
for
github.com/openshift/origin
(Go)
Dec 20, 2021
JWT audience claim is not verified
Critical
CVE-2023-22482
was published
for
github.com/argoproj/argo-cd
(Go)
Jan 25, 2023
crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication
Critical
CVE-2022-41912
was published
for
github.com/crewjam/saml
(Go)
Nov 29, 2022
ProTip!
Advisories are also available from the
GraphQL API