GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,968
Erlang
29
GitHub Actions
16
Go
1,752
Maven
4,982
npm
3,516
NuGet
609
pip
3,089
Pub
10
RubyGems
832
Rust
782
Swift
34
Unreviewed advisories
All unreviewed
5,000+
382 advisories
Filter by severity
Authentik vulnerable to PKCE downgrade attack
Moderate
CVE-2024-23647
was published
for
goauthentik.io
(Go)
Jan 29, 2024
Moodle creates a MoodleMobile web-service token with an infinite lifetime
Moderate
CVE-2014-0214
was published
for
moodle/moodle
(Composer)
May 13, 2022
kyverno verifyImages rule bypass possible with malicious proxy/registry
High
CVE-2022-47633
was published
for
github.com/kyverno/kyverno
(Go)
Dec 21, 2022
Prometheus Exporter-Toolkit is vulnerable to authentication bypass
Moderate
CVE-2022-46146
was published
for
github.com/prometheus/exporter-toolkit
(Go)
Dec 2, 2022
Ignite Realtime Openfire Allows Users to Change Passwords of Arbitrary Accounts
Moderate
CVE-2009-1595
was published
for
org.igniterealtime.openfire:parent
(Maven)
May 2, 2022
Authentication library in TYPO3 vulnerable to session fixation
High
CVE-2009-0256
was published
for
typo3/cms
(Composer)
May 2, 2022
EverShop vulnerable to improper authorization in GraphQL endpoints
High
CVE-2023-46942
was published
for
@evershop/evershop
(npm)
Jan 13, 2024
Jetty's OpenId Revoked authentication allows one request
Low
CVE-2023-41900
was published
for
org.eclipse.jetty:jetty-openid
(Maven)
Sep 15, 2023
Account compromise in Evmos
High
CVE-2022-24738
was published
for
github.com/tharsis/evmos
(Go)
Mar 7, 2022
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
Critical
CVE-2024-22206
was published
for
@clerk/nextjs
(npm)
Jan 12, 2024
Typo3 Authentication Bypass
Critical
CVE-2011-4628
was published
for
typo3/cms
(Composer)
Apr 22, 2022
OpenStack Keystone Token authorization for a user in a disabled tenant is allowed
Moderate
CVE-2012-4457
was published
for
Keystone
(pip)
May 14, 2022
Apache Axis2 Vulnerable to XML Signature wrapping attack
Moderate
CVE-2012-4418
was published
for
org.apache.axis2:axis2
(Maven)
May 17, 2022
Trytond allows modification of privileges of arbitrary users
Moderate
CVE-2012-0215
was published
for
trytond
(pip)
May 4, 2022
Moodle Users Can Bypass Deleted Status
Moderate
CVE-2012-0797
was published
for
moodle/moodle
(Composer)
May 13, 2022
Moodle Allows Unauthenticated Dropbox Access
Moderate
CVE-2012-5471
was published
for
moodle/moodle
(Composer)
May 13, 2022
Moodle Authentication Bypass in File Upload
Moderate
CVE-2012-3387
was published
for
moodle/moodle
(Composer)
May 13, 2022
botframework-connector vulnerable to Improper Authentication
Moderate
CVE-2021-1725
was published
for
botframework-connector
(npm)
Mar 8, 2021
Omniauth::MicrosoftGraph Account takeover (nOAuth)
High
CVE-2024-21632
was published
for
omniauth-microsoft_graph
(RubyGems)
Jan 3, 2024
Arbitrary remote file read in Wrangler dev server
Moderate
CVE-2023-7079
was published
for
wrangler
(npm)
Jan 3, 2024
yiisoft/yii2-authclient's Oauth2 PKCE implementation is vulnerable
Moderate
CVE-2023-50714
was published
for
yiisoft/yii2-authclient
(Composer)
Dec 18, 2023
Improper Authentication in Apache CXF
Moderate
CVE-2013-0239
was published
for
org.apache.cxf:cxf-rt-frontend-jaxrs
(Maven)
May 5, 2022
Improper Authentication in Apache CXF
Moderate
CVE-2012-5633
was published
for
org.apache.cxf:cxf
(Maven)
May 13, 2022
Authentication bypass vulnerability in navidrome's subsonic endpoint
High
CVE-2023-51442
was published
for
github.com/navidrome/navidrome
(Go)
Dec 19, 2023
Apache Pulsar WebSocket Proxy contains an Improper Authentication vulnerability
High
CVE-2023-37544
was published
for
org.apache.pulsar:pulsar-websocket
(Maven)
Dec 20, 2023
ProTip!
Advisories are also available from the
GraphQL API