GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,968
Erlang
29
GitHub Actions
16
Go
1,749
Maven
4,978
npm
3,509
NuGet
609
pip
3,084
Pub
10
RubyGems
832
Rust
782
Swift
34
Unreviewed advisories
All unreviewed
5,000+
1,664 advisories
Filter by severity
Command Injection in Kylin
High
CVE-2020-1956
was published
for
org.apache.kylin:kylin-core-common
(Maven)
Jul 27, 2020
Apache juddi-client vulnerable to XML External Entity (XXE)
High
CVE-2018-1307
was published
for
org.apache.juddi:juddi-client
(Maven)
Oct 19, 2018
Stack Overflow in Apache Mesos
High
CVE-2018-11793
was published
for
org.apache.mesos:mesos
(Maven)
Mar 6, 2019
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Pivotal CredHub Service Broker
High
CVE-2018-15795
was published
for
org.springframework.credhub:spring-credhub-core
(Maven)
Nov 29, 2018
Arbitrary Command Execution in Hadoop
High
CVE-2018-11766
was published
for
org.apache.hadoop:hadoop-main
(Maven)
Dec 21, 2018
Deserialization of Untrusted Data in swagger-codegen
High
CVE-2017-1000207
was published
for
io.swagger:swagger-codegen
(Maven)
Oct 19, 2018
Path Traversal in minsoft:ms-mcms
High
CVE-2018-18831
was published
for
net.mingsoft:ms-mcms
(Maven)
Nov 1, 2018
Cross-Site Request Forgery (CSRF) in hswebframework.web:hsweb-commons
High
CVE-2018-20595
was published
for
org.hswebframework.web:hsweb-commons
(Maven)
Jan 4, 2019
Uncontrolled Resource Consumption in spray-json when parsing decimal digit fields
High
CVE-2018-18853
was published
for
io.spray:spray-json_2.10
(Maven)
Nov 9, 2018
Server Side Request Forgery in svgSalamander
High
CVE-2017-5617
was published
for
com.kitfox.svg:svg-salamander
(Maven)
Oct 19, 2018
Improper Restriction of Operations within the Bounds of a Memory Buffer in akka-http-core
High
CVE-2017-1000118
was published
for
com.typesafe.akka:akka-http-core_2.11
(Maven)
Oct 22, 2018
Improper Authentication in Keycloak
High
CVE-2018-14637
was published
for
org.keycloak:keycloak-core
(Maven)
Dec 21, 2018
OS Command Injection in craftercms:crafter-studio
High
CVE-2018-19907
was published
for
org.craftercms:crafter-studio
(Maven)
Dec 19, 2018
In Bouncy Castle JCE Provider ECDSA does not fully validate ASN.1 encoding of signature on verification
High
CVE-2016-1000342
was published
for
org.bouncycastle:bcprov-jdk14
(Maven)
Oct 17, 2018
Access and integrity issue within Eclipse Jetty
High
CVE-2018-12538
was published
for
org.eclipse.jetty:jetty-server
(Maven)
Oct 16, 2018
Denial of service in XStream
High
CVE-2017-7957
was published
for
com.thoughtworks.xstream:xstream
(Maven)
Jun 30, 2020
Denial of service due to reference expansion in versions earlier than 4.0
High
GHSA-mm44-wc5p-wqhq
was published
for
com.upokecenter:cbor
(Maven)
Jul 7, 2020
Android SVG vulnerable to XML External Entity (XXE)
High
CVE-2017-1000498
was published
for
com.caverock:androidsvg
(Maven)
Oct 19, 2018
Directory Traversal vulnerability in Square Retrofit
High
CVE-2018-1000850
was published
for
com.squareup.retrofit2:retrofit
(Maven)
Dec 21, 2018
Improper Privilege Management in Apache Karaf
High
CVE-2018-11786
was published
for
org.apache.karaf:apache-karaf
(Maven)
Dec 21, 2018
The REST Plugin in Apache Struts is using an outdated XStream library
High
CVE-2017-9793
was published
for
org.apache.struts:struts2-rest-plugin
(Maven)
Oct 16, 2018
In Bouncy Castle JCE Provider the ECIES implementation allowed the use of ECB mode
High
CVE-2016-1000352
was published
for
org.bouncycastle:bcprov-jdk14
(Maven)
Oct 17, 2018
Apache Storm it is possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user
High
CVE-2017-9799
was published
for
org.apache.storm:storm-core
(Maven)
Oct 17, 2018
When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server
High
CVE-2017-12615
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
Oct 17, 2018
In Bouncy Castle JCE Provider the DSA key pair generator generates a weak private key if used with default values
High
CVE-2016-1000343
was published
for
org.bouncycastle:bcprov-jdk14
(Maven)
Oct 17, 2018
ProTip!
Advisories are also available from the
GraphQL API