GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,683
Erlang
29
GitHub Actions
16
Go
1,708
Maven
4,944
npm
3,473
NuGet
603
pip
2,995
Pub
10
RubyGems
826
Rust
773
Swift
34
Unreviewed advisories
All unreviewed
5,000+
18,873 advisories
Filter by severity
Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS
High
CVE-2024-1249
was published
for
org.keycloak:keycloak-services
(Maven)
Apr 17, 2024
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow
Moderate
CVE-2023-6717
was published
for
org.keycloak:keycloak-services
(Maven)
Apr 17, 2024
sensiolabs/connect has a Cross-Site Request Forgery Vulnerability
Moderate
GHSA-6wqp-7g94-f69j
was published
for
sensiolabs/connect
(Composer)
May 21, 2024
scheb/two-factor-bundle bypass two-factor authentication with remember-me option
High
GHSA-9phw-7h96-q3rv
was published
for
scheb/two-factor-bundle
(Composer)
May 21, 2024
Sender can cause a receiver to overwrite files during ZIP extraction in Croc
Moderate
CVE-2023-43616
was published
for
github.com/schollz/croc
(Go)
Sep 20, 2023
Croc requires senders to provide local IP addresses in cleartext
Moderate
CVE-2023-43618
was published
for
github.com/schollz/croc/v9
(Go)
Sep 20, 2023
Cros secrets may be disclosed to untrusted relay
Moderate
CVE-2023-43617
was published
for
github.com/schollz/croc/v9
(Go)
Sep 20, 2023
Croc may expose secret to local users
Moderate
CVE-2023-43621
was published
for
github.com/schollz/croc/v9
(Go)
Sep 20, 2023
Croc sender may send dangerous new files to receiver
High
CVE-2023-43619
was published
for
github.com/schollz/croc/v9
(Go)
Sep 20, 2023
scheb/two-factor-bundle bypass two-factor authentication with unverified JWT trusted device token
High
GHSA-h6mp-mc7g-mg49
was published
for
scheb/two-factor-bundle
(Composer)
May 21, 2024
Croc sender may place ANSI or CSI escape sequences in filename to attach receiver's terminal device
High
CVE-2023-43620
was published
for
github.com/schollz/croc/v9
(Go)
Sep 20, 2023
Denial of Service Vulnerability in Rustls Library
High
CVE-2024-32650
was published
for
rustls
(Rust)
Apr 19, 2024
HTTP Request Smuggling in Netty
High
CVE-2019-16869
was published
for
io.netty:netty-all
(Maven)
Oct 11, 2019
Umbraco CMS Vulnerable to Stored XSS on Content Page Through Markdown Editor Preview Pane
Moderate
CVE-2024-35218
was published
for
UmbracoCms.Core
(NuGet)
May 21, 2024
OMERO.web must check that the JSONP callback is a valid function
Moderate
CVE-2024-35180
was published
for
omero-web
(pip)
May 21, 2024
Umbraco CMS Open Redirect Bypass Protection
Moderate
CVE-2024-34071
was published
for
Umbraco.Cms.Web.BackOffice
(NuGet)
May 21, 2024
Some CORS middleware allow untrusted origins
Critical
GHSA-v84h-653v-4pq9
was published
for
github.com/jub0bs/fcors
(Go)
May 3, 2024
Some CORS middleware allow untrusted origins
Critical
GHSA-vhxv-fg4m-p2w8
was published
for
github.com/jub0bs/cors
(Go)
May 3, 2024
github.com/nats-io/nats-server Import token permissions checking not enforced
High
GHSA-j756-f273-xhp4
was published
for
github.com/nats-io/nats-server/v2
(Go)
May 21, 2021
ic-stable-structures vulnerable to BTreeMap memory leak when deallocating nodes with overflows
Moderate
CVE-2024-4435
was published
for
ic-stable-structures
(Rust)
May 21, 2024
Gradio applications running locally vulnerable to 3rd party websites accessing routes and uploading files
Moderate
CVE-2024-1727
was published
for
gradio
(pip)
May 21, 2024
Duplicate Advisory: Cross-Site Request Forgery in Gradio
Moderate
GHSA-3x9g-xfj5-fq84
was published
for
gradio
(pip)
Mar 21, 2024
•
withdrawn
Duplicate Advisory: Incorrect Access Control in github.com/nats-io/jwt and github.com/nats-io/nats-server/v2
High
GHSA-9r5x-fjv3-q6h4
was published
for
github.com/nats-io/jwt
(Go)
Feb 15, 2022
•
withdrawn
github.com/containers/image allows unexpected authenticated registry accesses
High
CVE-2024-3727
was published
for
github.com/containers/image
(Go)
May 14, 2024
Requests `Session` object does not verify requests after making first request with verify=False
Moderate
CVE-2024-35195
was published
for
requests
(pip)
May 20, 2024
ProTip!
Advisories are also available from the
GraphQL API