GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,988
Erlang
29
GitHub Actions
16
Go
1,776
Maven
5,000+
npm
3,542
NuGet
617
pip
3,125
Pub
10
RubyGems
838
Rust
790
Swift
34
Unreviewed advisories
All unreviewed
5,000+
40 advisories
Filter by severity
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
Moderate
CVE-2022-23541
was published
for
jsonwebtoken
(npm)
Dec 22, 2022
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
Moderate
CVE-2022-23540
was published
for
jsonwebtoken
(npm)
Dec 22, 2022
EverShop vulnerable to improper authorization in GraphQL endpoints
High
CVE-2023-46942
was published
for
@evershop/evershop
(npm)
Jan 13, 2024
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
Critical
CVE-2024-22206
was published
for
@clerk/nextjs
(npm)
Jan 12, 2024
botframework-connector vulnerable to Improper Authentication
Moderate
CVE-2021-1725
was published
for
botframework-connector
(npm)
Mar 8, 2021
Arbitrary remote file read in Wrangler dev server
Moderate
CVE-2023-7079
was published
for
wrangler
(npm)
Jan 3, 2024
Improper Key Verification in ipns
High
GHSA-j59f-6m4q-62h6
was published
for
ipns
(npm)
May 30, 2019
matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs
Moderate
CVE-2023-38691
was published
for
matrix-appservice-bridge
(npm)
Aug 4, 2023
Unauthorized Access to Private Fields in User Registration API
High
CVE-2023-39345
was published
for
@strapi/plugin-users-permissions
(npm)
Nov 3, 2023
isolated-vm has vulnerable CachedDataOptions in API
Critical
CVE-2022-39266
was published
for
isolated-vm
(npm)
Sep 30, 2022
Improper Access Control in passport-oauth2
Moderate
CVE-2021-41580
was published
for
passport-oauth2
(npm)
Sep 29, 2021
Auto-merging Person Records Compromised
High
CVE-2021-32691
was published
for
@apollosproject/data-connector-rock
(npm)
Jun 21, 2021
Improper Authentication in react-adal
High
CVE-2020-7787
was published
for
react-adal
(npm)
Apr 13, 2021
Forced Logout in keycloak-connect
Moderate
CVE-2019-10157
was published
for
keycloak-connect
(npm)
Jun 13, 2019
Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
High
CVE-2022-24901
was published
for
parse-server
(npm)
May 4, 2022
Authentication Bypass for passport-wsfed-saml2
Moderate
CVE-2022-23505
was published
for
passport-wsfed-saml2
(npm)
Dec 13, 2022
API token verification can be bypassed in NodeBB
Critical
CVE-2021-43786
was published
for
nodebb
(npm)
Nov 30, 2021
Raneto Denial of Service via crafted payload injected into `Search` parameter
High
CVE-2022-35142
was published
for
raneto
(npm)
Aug 5, 2022
matrix-js-sdk subject to user spoofing via Olm/Megolm protocol confusion
High
CVE-2022-39251
was published
for
matrix-js-sdk
(npm)
Sep 30, 2022
matrix-js-sdk subject to impersonated messages due to permissive key forwarding
High
CVE-2022-39249
was published
for
matrix-js-sdk
(npm)
Sep 30, 2022
matrix-js-sdk subject to user impersonation due to key/device identifier confusion in SAS verification
High
CVE-2022-39250
was published
for
matrix-js-sdk
(npm)
Sep 30, 2022
Upstash Adapter missing token verification
Moderate
CVE-2022-39263
was published
for
@next-auth/upstash-redis-adapter
(npm)
Sep 30, 2022
parse-server auth adapter app ID validation can be circumvented
Low
CVE-2022-39231
was published
for
parse-server
(npm)
Sep 21, 2022
Authentication bypass vulnerability in Apple Game Center auth adapter
High
CVE-2022-31083
was published
for
parse-server
(npm)
Jun 17, 2022
Utils.readChallengeTx does not verify the server account signature
Moderate
CVE-2021-32738
was published
for
stellar-sdk
(npm)
Jul 2, 2021
ProTip!
Advisories are also available from the
GraphQL API