GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,696
Erlang
29
GitHub Actions
16
Go
1,708
Maven
4,944
npm
3,473
NuGet
603
pip
2,995
Pub
10
RubyGems
826
Rust
773
Swift
34
Unreviewed advisories
All unreviewed
5,000+
3,474 advisories
Filter by severity
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ZMarkdown
Critical
GHSA-2c83-wfv3-q25f
was published
for
rebber
(npm)
Sep 7, 2021
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
Low
CVE-2024-30261
was published
for
undici
(npm)
Apr 4, 2024
MediaElement Vulnerable to Reflected XSS
Moderate
CVE-2016-4567
was published
for
contao-components/mediaelement
(Composer)
May 17, 2022
Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Moderate
CVE-2024-32869
was published
for
hono
(npm)
Apr 23, 2024
Conform contains a Prototype Pollution Vulnerability in `parseWith...` function
High
CVE-2024-32866
was published
for
@conform-to/dom
(npm)
Apr 23, 2024
MySQL2 for Node Arbitrary Code Injection
Critical
CVE-2024-21511
was published
for
mysql2
(npm)
Apr 23, 2024
Joplin Cross Site Scripting Vulnerability via NOSCRIPT tags
Moderate
CVE-2021-33295
was published
for
joplin
(npm)
Jun 17, 2022
Joplin Vulnerable to Cross-site Scripting in Note Content
Moderate
CVE-2018-1000534
was published
for
joplin
(npm)
May 14, 2022
Joplin Vulnerable to Code Injection
Critical
CVE-2022-23340
was published
for
joplin
(npm)
Feb 9, 2022
Joplin vulnerable to Cross-site Scripting in notes
Moderate
CVE-2021-37916
was published
for
joplin
(npm)
May 24, 2022
Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases
Moderate
GHSA-rqgv-292v-5qgr
was published
for
renovate
(npm)
Apr 23, 2024
GitBook allows Cross-site Scripting via a local .md file.
Moderate
CVE-2019-19596
was published
for
gitbook
(npm)
May 24, 2022
deep-defaults vulnerable to prototype pollution
Critical
CVE-2021-25944
was published
for
deep-defaults
(npm)
May 24, 2022
Obsidian does not require user confirmation for non-http/https URLs.
Critical
CVE-2021-38148
was published
for
obsidian
(npm)
May 24, 2022
convert-svg-core vulnerable to remote code injection
Critical
CVE-2022-25759
was published
for
convert-svg-core
(npm)
Jul 23, 2022
thlorenz browserify-shim vulnerable to prototype pollution
Critical
CVE-2022-37617
was published
for
browserify-shim
(npm)
Oct 12, 2022
thlorenz browserify-shim vulnerable to prototype pollution
Critical
CVE-2022-37621
was published
for
browserify-shim
(npm)
Oct 29, 2022
thlorenz browserify-shim vulnerable to prototype pollution
Critical
CVE-2022-37623
was published
for
browserify-shim
(npm)
Oct 31, 2022
Treekill Enables OS Command Injection
Critical
CVE-2019-15598
was published
for
tree-kill
(npm)
May 24, 2022
PIDUsage Enables OS Command Injection
Critical
CVE-2017-1000220
was published
for
pidusage
(npm)
May 13, 2022
Mongoose Vulnerable to Prototype Pollution in Schema Object
Critical
CVE-2022-24304
was published
for
mongoose
(npm)
Aug 27, 2022
Font-Converter Vulnerable to Arbitrary Command Injection
Critical
CVE-2022-21165
was published
for
font-converter
(npm)
Aug 29, 2022
ProTip!
Advisories are also available from the
GraphQL API