Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,825
Erlang
29
GitHub Actions
16
Go
1,715
Maven
4,950
npm
3,479
NuGet
605
pip
3,009
Pub
10
RubyGems
830
Rust
776
Swift
34
Unreviewed advisories
All unreviewed
5,000+

64 advisories

OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`) Critical
CVE-2024-28253 was published for org.open-metadata:openmetadata-service (Maven) Apr 23, 2024
pwntester
Apache Zeppelin remote code execution by adding malicious JDBC connection string Critical
CVE-2024-31864 was published for org.apache.zeppelin:zeppelin-jdbc (Maven) Apr 9, 2024
oscerd
Beetl Server-Side Template Injection vulnerability Critical
CVE-2024-22533 was published for com.ibeetl:beetl-core (Maven) Feb 2, 2024
yoshizawa-masatoshi
XWiki Remote Code Execution Vulnerability via User Registration Critical
CVE-2024-21650 was published for org.xwiki.platform:xwiki-platform-administration-ui (Maven) Jan 8, 2024
Apache InLong Manager Remote Code Execution vulnerability Critical
CVE-2023-51784 was published for org.apache.inlong:manager-pojo (Maven) Jan 3, 2024
JeecgBoot server-side template injection Critical
CVE-2023-41544 was published for org.jeecgframework.boot:jeecg-boot-common (Maven) Dec 30, 2023
Remote code execution/programming rights with configuration section from any user account Critical
CVE-2023-50723 was published for org.xwiki.platform:xwiki-platform-administration-ui (Maven) Dec 16, 2023
Remote code execution from account through SearchAdmin Critical
CVE-2023-50721 was published for org.xwiki.platform:xwiki-platform-search-ui (Maven) Dec 16, 2023
HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL Critical
CVE-2023-49093 was published for org.htmlunit:htmlunit (Maven) Dec 4, 2023
Jupiter allows attackers to execute arbitrary commands via sending a crafted RPC request Critical
CVE-2023-48887 was published for org.jupiter-rpc:jupiter-rpc (Maven) Dec 2, 2023
Apache Derby: LDAP injection vulnerability in authenticator Critical
CVE-2022-46337 was published for org.apache.derby:derby (Maven) Nov 20, 2023
pdeslaur
XWiki Platform vulnerable to remote code execution through the section parameter in Administration as guest Critical
CVE-2023-46731 was published for org.xwiki.platform:xwiki-platform-administration (Maven) Nov 8, 2023
XWiki Platform vulnerable to remote code execution via the edit action because it lacks CSRF token Critical
CVE-2023-46242 was published for org.xwiki.platform:xwiki-platform-oldcore (Maven) Nov 7, 2023
Improper Control of Generation of Code ('Code Injection') in jai-ext Critical
CVE-2022-24816 was published for it.geosolutions.jaiext.jiffle:jt-jiffle (Maven) Sep 19, 2023
sikeoka
XWiki Platform privilege escalation (PR)/RCE from account through Invitation subject/message Critical
CVE-2023-37914 was published for org.xwiki.platform:xwiki-platform-invitation-ui (Maven) Aug 18, 2023
Alluxio vulnerable to arbitrary code execution Critical
CVE-2023-38889 was published for org.alluxio:alluxio-parent (Maven) Aug 15, 2023
Code injection in webmagic-core Critical
CVE-2023-39015 was published for us.codecraft:webmagic-core (Maven) Jul 28, 2023
Code injection in wix-embedded-mysql Critical
CVE-2023-39021 was published for com.wix:wix-embedded-mysql (Maven) Jul 28, 2023
Code injection in oscore Critical
CVE-2023-39022 was published for opensymphony:oscore (Maven) Jul 28, 2023
Code injection in BoofCV Critical
CVE-2023-39010 was published for org.boofcv:boofcv-core (Maven) Jul 28, 2023
Code injection in stanford-parser Critical
CVE-2023-39020 was published for edu.stanford.nlp:stanford-parser (Maven) Jul 28, 2023
Code injection in Duke Critical
CVE-2023-39013 was published for no.priv.garshol.duke:duke (Maven) Jul 28, 2023
FFmpeg discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.<constructor> Critical
CVE-2023-39018 was published for net.bramp.ffmpeg:ffmpeg (Maven) Jul 28, 2023 withdrawn
RocketMQ NameServer component Code Injection vulnerability Critical
CVE-2023-37582 was published for org.apache.rocketmq:rocketmq-namesrv (Maven) Jul 12, 2023
Apache RocketMQ may have remote code execution vulnerability when using update configuration function Critical
CVE-2023-33246 was published for org.apache.rocketmq:rocketmq-broker (Maven) Jul 6, 2023
ProTip! Advisories are also available from the GraphQL API