GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
34 advisories
Denial of service in Open Policy Agent
High
CVE-2022-33082
was published
for
github.com/open-policy-agent/opa
(Go)
Jul 1, 2022
Insufficient validation when decoding a Socket.IO packet
Critical
CVE-2022-2421
was published
for
socket.io-parser
(npm)
Oct 26, 2022
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
High
CVE-2017-5647
was published
for
org.apache.tomcat:tomcat
(Maven)
May 14, 2022
Improper Neutralization of Special Elements used in a Command in Shell-quote
Critical
CVE-2021-42740
was published
for
shell-quote
(npm)
May 24, 2022
SQL Injection Vulnerability via ActiveRecord comments
High
CVE-2023-22794
was published
for
activerecord
(RubyGems)
Jan 18, 2023
Possible shell escape sequence injection vulnerability in Rack
Critical
CVE-2022-30123
was published
for
rack
(RubyGems)
May 27, 2022
Prototype Pollution in object-path
High
CVE-2021-3805
was published
for
object-path
(npm)
Sep 20, 2021
node-fetch forwards secure headers to untrusted sites
High
CVE-2022-0235
was published
for
node-fetch
(npm)
Jan 21, 2022
Duplicate Advisory: Prototype Pollution in jquery
Moderate
CVE-2019-5428
was published
for
jquery
(RubyGems)
Apr 23, 2019
•
withdrawn
Sprockets path traversal leads to information leak
High
CVE-2018-3760
was published
for
sprockets
(RubyGems)
Jun 20, 2018
Apache Spark vulnerable to Log Injection
Moderate
CVE-2022-31777
was published
for
org.apache.spark:spark-core
(Maven)
Nov 1, 2022
Improper Input Validation in simple_form
Critical
CVE-2019-16676
was published
for
simple_form
(RubyGems)
Sep 30, 2019
Keycloak vulnerable to privilege escalation on Token Exchange feature
Critical
CVE-2022-1245
was published
for
org.keycloak:keycloak-services
(Maven)
Apr 26, 2022
Improper Input Validation in GeoServer
High
CVE-2022-24847
was published
for
org.geoserver:gs-main
(Maven)
Apr 22, 2022
Kubernetes vulnerable to validation bypass
High
CVE-2022-3294
was published
for
github.com/kubernetes/kubernetes
(Go)
Mar 1, 2023
xmldom allows multiple root nodes in a DOM
Critical
CVE-2022-39353
was published
for
@xmldom/xmldom
(npm)
Nov 1, 2022
Duplicate Advisory: Denial of Service due to parser crash
Low
GHSA-3mq5-fq9h-gj7j
was published
for
com.thoughtworks.xstream:xstream
(Maven)
Sep 17, 2022
•
withdrawn
Incorrect Authorization in Apache Solr
Critical
CVE-2020-13957
was published
for
org.apache.solr:solr-parent
(Maven)
Feb 10, 2022
Improper Privilege Management in Mattermost
Moderate
CVE-2022-1332
was published
for
github.com/mattermost/mattermost-server/v5
(Go)
Apr 14, 2022
Code injection in Apache NiFi and NiFi Registry
High
CVE-2022-33140
was published
for
org.apache.nifi.registry:nifi-registry-core
(Maven)
Jun 16, 2022
Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
High
CVE-2022-24901
was published
for
parse-server
(npm)
May 4, 2022
Improper path handling in kustomization files allows path traversal
Critical
CVE-2022-24877
was published
for
github.com/fluxcd/flux2
(Go)
May 4, 2022
Shescape vulnerable to insufficient escaping of whitespace
Critical
CVE-2022-31180
was published
for
shescape
(npm)
Jul 15, 2022
Arbitrary filesystem write access from velocity.
High
CVE-2022-24897
was published
for
org.xwiki.commons:xwiki-commons-velocity
(Maven)
Apr 28, 2022
Prototype Pollution via file load in aws-sdk and @aws-sdk/shared-ini-file-loader
High
CVE-2020-28472
was published
for
@aws-sdk/shared-ini-file-loader
(npm)
Nov 16, 2021
ProTip!
Advisories are also available from the
GraphQL API