GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,964
Erlang
29
GitHub Actions
16
Go
1,746
Maven
4,974
npm
3,507
NuGet
609
pip
3,071
Pub
10
RubyGems
832
Rust
780
Swift
34
Unreviewed advisories
All unreviewed
5,000+
950 advisories
Filter by severity
conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2
Critical
CVE-2020-28441
was published
for
conf-cfg-ini
(npm)
Jul 26, 2022
ffmpeg-sdk vulnerable to OS Command Injection
Critical
CVE-2020-28435
was published
for
ffmpeg-sdk
(npm)
Jul 26, 2022
sonar-wrapper Command Injection vulnerability
Critical
CVE-2020-28443
was published
for
sonar-wrapper
(npm)
Jul 26, 2022
node-import `params` argument can be controlled by users without any sanitization
Critical
CVE-2020-7678
was published
for
node-import
(npm)
Jul 26, 2022
js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`
Critical
CVE-2020-28461
was published
for
js-ini
(npm)
Jul 26, 2022
otp-generator before v3.0.0 insecurely generates random one-time passwords
Critical
CVE-2021-23451
was published
for
otp-generator
(npm)
Jul 26, 2022
xopen is vulnerable to OS Command Injection in Exported Function xopen(filepath)
Critical
CVE-2020-28447
was published
for
xopen
(npm)
Jul 26, 2022
set-deep-prop Prototype Pollution
Critical
CVE-2021-23373
was published
for
set-deep-prop
(npm)
Jul 26, 2022
ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse`
Critical
CVE-2020-28462
was published
for
ion-parser
(npm)
Jul 26, 2022
ntesseract vulnerable to Command Injection
Critical
CVE-2020-28446
was published
for
ntesseract
(npm)
Jul 26, 2022
Joplin is vulnerable to arbitrary code execution
Critical
CVE-2022-35131
was published
for
joplin
(npm)
Jul 26, 2022
convert-svg-core vulnerable to remote code injection
Critical
CVE-2022-25759
was published
for
convert-svg-core
(npm)
Jul 23, 2022
Properties-Reader before v2.2.0 vulnerable to prototype pollution
Critical
CVE-2020-28471
was published
for
properties-reader
(npm)
Jul 19, 2022
thenify before 3.3.1 made use of unsafe calls to `eval`.
Critical
CVE-2020-7677
was published
for
org.webjars.npm:thenify
(Maven)
Jul 18, 2022
Shescape vulnerable to insufficient escaping of whitespace
Critical
CVE-2022-31180
was published
for
shescape
(npm)
Jul 15, 2022
llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding
Critical
CVE-2022-32213
was published
for
llhttp
(npm)
Jul 15, 2022
llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
Critical
CVE-2022-32214
was published
for
llhttp
(npm)
Jul 15, 2022
Prototype Pollution in deep.assign
Critical
CVE-2021-40663
was published
for
deep.assign
(npm)
Jul 1, 2022
Server-Side Request Forgery in parse-url
Critical
CVE-2022-2216
was published
for
parse-url
(npm)
Jun 28, 2022
Server-Side Request Forgery in kityminder
Critical
CVE-2022-31830
was published
for
kityminder
(npm)
Jun 10, 2022
Server-Side Template Injection in formio
Critical
CVE-2020-28246
was published
for
formio
(npm)
Jun 3, 2022
Improper Neutralization of Special Elements used in a Command in Shell-quote
Critical
CVE-2021-42740
was published
for
shell-quote
(npm)
May 24, 2022
Obsidian does not require user confirmation for non-http/https URLs.
Critical
CVE-2021-38148
was published
for
obsidian
(npm)
May 24, 2022
ProTip!
Advisories are also available from the
GraphQL API