GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,696
Erlang
29
GitHub Actions
16
Go
1,708
Maven
4,944
npm
3,473
NuGet
603
pip
2,995
Pub
10
RubyGems
826
Rust
773
Swift
34
Unreviewed advisories
All unreviewed
5,000+
1,370 advisories
Filter by severity
import-in-the-middle has unsanitized user controlled input in module generation
High
CVE-2023-38704
was published
for
import-in-the-middle
(npm)
Aug 8, 2023
pnpm incorrectly parses tar archives relative to specification
High
CVE-2023-37478
was published
for
@pnpm/cafs
(npm)
Aug 1, 2023
underscore-keypath vulnerable to Prototype Pollution
High
CVE-2023-26139
was published
for
underscore-keypath
(npm)
Aug 1, 2023
Unsafe plugins can be installed via pack import by tenant admins
High
GHSA-wxf3-4fvj-vqqx
was published
for
@saltcorn/cli
(npm)
Jul 27, 2023
DoS vulnerability for apps with sockets enabled
High
CVE-2023-38504
was published
for
sails
(npm)
Jul 27, 2023
Leaking sensitive user information still possible by filtering on private with prefix fields
High
CVE-2023-34235
was published
for
@strapi/database
(npm)
Jul 25, 2023
Feathers socket handler allows abusing implicit toString
High
CVE-2023-37899
was published
for
@feathersjs/socketio
(npm)
Jul 20, 2023
webmention.js Cross-site Scripting vulnerability
High
CVE-2023-3672
was published
for
webmention.js
(npm)
Jul 14, 2023
is_js vulnerable to Regular Expression Denial of Service
High
CVE-2020-26302
was published
for
is_js
(npm)
Jul 6, 2023
@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state
High
CVE-2023-31999
was published
for
@fastify/oauth2
(npm)
Jul 5, 2023
llhttp vulnerable to HTTP request smuggling
High
CVE-2023-30589
was published
for
llhttp
(npm)
Jul 1, 2023
flatnest Prototype Pollution vulnerability
High
CVE-2023-26135
was published
for
flatnest
(npm)
Jun 30, 2023
passport-wsfed-saml2 Signature Bypass vulnerability
High
GHSA-5wrg-8fxp-cx9r
was published
for
passport-wsfed-saml2
(npm)
Jun 21, 2023
Backstage Scaffolder plugin has insecure sandbox
High
CVE-2023-35926
was published
for
@backstage/plugin-scaffolder-backend
(npm)
Jun 21, 2023
passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token
High
CVE-2017-16897
was published
for
passport-wsfed-saml2
(npm)
Jun 21, 2023
progressbar.js vulnerable to Prototype Pollution
High
CVE-2023-26133
was published
for
progressbar.js
(npm)
Jun 12, 2023
dottie vulnerable to Prototype Pollution
High
CVE-2023-26132
was published
for
dottie
(npm)
Jun 10, 2023
Snowflake NodeJS Driver vulnerable to Command Injection
High
CVE-2023-34232
was published
for
snowflake-sdk
(npm)
Jun 9, 2023
@udecode/plate-link does not sanitize URLs to prevent use of the `javascript:` scheme
High
CVE-2023-34245
was published
for
@udecode/plate-link
(npm)
Jun 9, 2023
fast-xml-parser vulnerable to Regex Injection via Doctype Entities
High
CVE-2023-34104
was published
for
fast-xml-parser
(npm)
Jun 6, 2023
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
High
CVE-2023-34092
was published
for
vite
(npm)
Jun 6, 2023
bwm-ng vulnerable to command injection
High
CVE-2023-26129
was published
for
bwm-ng
(npm)
May 27, 2023
keep-module-latest vulnerable to Command Injection due to missing input sanitization
High
CVE-2023-26128
was published
for
keep-module-latest
(npm)
May 27, 2023
ProTip!
Advisories are also available from the
GraphQL API