GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,958
Erlang
29
GitHub Actions
16
Go
1,745
Maven
4,971
npm
3,507
NuGet
609
pip
3,066
Pub
10
RubyGems
832
Rust
780
Swift
34
Unreviewed advisories
All unreviewed
5,000+
3,508 advisories
Filter by severity
MediaElement Vulnerable to Reflected XSS
Moderate
CVE-2016-4567
was published
for
contao-components/mediaelement
(Composer)
May 17, 2022
Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Moderate
CVE-2024-32869
was published
for
hono
(npm)
Apr 23, 2024
MySQL2 for Node Arbitrary Code Injection
Critical
CVE-2024-21511
was published
for
mysql2
(npm)
Apr 23, 2024
Joplin Cross Site Scripting Vulnerability via NOSCRIPT tags
Moderate
CVE-2021-33295
was published
for
joplin
(npm)
Jun 17, 2022
Joplin Vulnerable to Cross-site Scripting in Note Content
Moderate
CVE-2018-1000534
was published
for
joplin
(npm)
May 14, 2022
Joplin Vulnerable to Code Injection
Critical
CVE-2022-23340
was published
for
joplin
(npm)
Feb 9, 2022
Joplin vulnerable to Cross-site Scripting in notes
Moderate
CVE-2021-37916
was published
for
joplin
(npm)
May 24, 2022
Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases
Moderate
GHSA-rqgv-292v-5qgr
was published
for
renovate
(npm)
Apr 23, 2024
GitBook allows Cross-site Scripting via a local .md file.
Moderate
CVE-2019-19596
was published
for
gitbook
(npm)
May 24, 2022
deep-defaults vulnerable to prototype pollution
Critical
CVE-2021-25944
was published
for
deep-defaults
(npm)
May 24, 2022
Obsidian does not require user confirmation for non-http/https URLs.
Critical
CVE-2021-38148
was published
for
obsidian
(npm)
May 24, 2022
convert-svg-core vulnerable to remote code injection
Critical
CVE-2022-25759
was published
for
convert-svg-core
(npm)
Jul 23, 2022
thlorenz browserify-shim vulnerable to prototype pollution
Critical
CVE-2022-37617
was published
for
browserify-shim
(npm)
Oct 12, 2022
thlorenz browserify-shim vulnerable to prototype pollution
Critical
CVE-2022-37621
was published
for
browserify-shim
(npm)
Oct 29, 2022
thlorenz browserify-shim vulnerable to prototype pollution
Critical
CVE-2022-37623
was published
for
browserify-shim
(npm)
Oct 31, 2022
Treekill Enables OS Command Injection
Critical
CVE-2019-15598
was published
for
tree-kill
(npm)
May 24, 2022
PIDUsage Enables OS Command Injection
Critical
CVE-2017-1000220
was published
for
pidusage
(npm)
May 13, 2022
Mongoose Vulnerable to Prototype Pollution in Schema Object
Critical
CVE-2022-24304
was published
for
mongoose
(npm)
Aug 27, 2022
Font-Converter Vulnerable to Arbitrary Command Injection
Critical
CVE-2022-21165
was published
for
font-converter
(npm)
Aug 29, 2022
Sanitize-html Vulnerable To REDoS Attacks
High
CVE-2022-25887
was published
for
sanitize-html
(npm)
Aug 31, 2022
tschaub gh-pages vulnerable to prototype pollution
Critical
CVE-2022-37611
was published
for
gh-pages
(npm)
Oct 12, 2022
mootools-more vulnerable to prototype pollution
High
CVE-2021-20088
was published
for
mootools-more
(npm)
May 24, 2022
ProTip!
Advisories are also available from the
GraphQL API