Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,678
Erlang
29
GitHub Actions
16
Go
1,707
Maven
4,940
npm
3,471
NuGet
603
pip
2,993
Pub
10
RubyGems
826
Rust
773
Swift
34
Unreviewed advisories
All unreviewed
5,000+

6,560 advisories

Silverstripe X-Forwarded-Host request hostname injection High
GHSA-25gq-jvx2-vg9x was published for silverstripe/framework (Composer) May 23, 2024
Silverstripe SiteTree Creation Permission Vulnerability High
GHSA-3mm9-2p44-rw39 was published for silverstripe/cms (Composer) May 22, 2024
Ghost allows CSV Injection during member CSV export High
CVE-2024-34448 was published for @tryghost/members-csv (npm) May 22, 2024
gix traversal outside working tree enables arbitrary code execution High
CVE-2024-35186 was published for gitoxide (Rust) May 22, 2024
EliahKagan Byron
NASA AIT-Core uses unencrypted channels to exchange data over the network High
CVE-2024-35061 was published for ait-core (pip) May 21, 2024
scheb/two-factor-bundle bypass two-factor authentication with remember-me option High
GHSA-9phw-7h96-q3rv was published for scheb/two-factor-bundle (Composer) May 21, 2024
scheb/two-factor-bundle bypass two-factor authentication with unverified JWT trusted device token High
GHSA-h6mp-mc7g-mg49 was published for scheb/two-factor-bundle (Composer) May 21, 2024
@fastify/session reuses destroyed session cookie High
CVE-2024-35220 was published for @fastify/session (npm) May 21, 2024
json-schema-ref-parser Prototype Pollution issue High
CVE-2024-29651 was published for @apidevtools/json-schema-ref-parser (npm) May 20, 2024
robrichards/xmlseclibs XPath injection High
GHSA-2g98-f9jv-w8c5 was published for robrichards/xmlseclibs (Composer) May 20, 2024
Passbolt API Stored XSS on first/last name during setup High
GHSA-2f46-4xjm-73x5 was published for passbolt/passbolt_api (Composer) May 20, 2024
Passbolt Api Remote code execution High
GHSA-cv5c-2qv5-w2m2 was published for passbolt/passbolt_api (Composer) May 20, 2024
veraPDF has potential XSLT injection vulnerability when using policy files High
CVE-2024-28109 was published for org.verapdf:core (Maven) May 20, 2024
Duplicate Advisory: Scrapy leaks the authorization header on same-domain but cross-origin redirects High
GHSA-cg34-w3fm-82h3 was published for scrapy (pip) May 20, 2024 withdrawn
litellm passes untrusted data to `eval` function without sanitization High
CVE-2024-4264 was published for litellm (pip) May 18, 2024
Tor Arti's STUB circuits incorrectly have a length of 2 High
CVE-2024-35312 was published for arti (Rust) May 18, 2024
nzo/url-encryptor-bundle Insecure default secret key and IV allowing anyone to decrypt values High
GHSA-r2r8-36pq-27cm was published for nzo/url-encryptor-bundle (Composer) May 17, 2024
Cross-site Scripting vulnerabilities in Neos High
GHSA-6cj3-rc4p-f38f was published for neos/neos (Composer) May 17, 2024
Neos Information Disclosure Security Note High
GHSA-3c5g-73f7-grvm was published for neos/neos (Composer) May 17, 2024
namshi/jose insecure JSON Web Signatures (JWS) High
GHSA-hxhc-wmg8-xrqf was published for namshi/jose (Composer) May 17, 2024
Withdrawn Advisory: Weights and Biases (wandb) has a Server-Side Request Forgery (SSRF) vulnerability High
CVE-2024-4642 was published for wandb (pip) May 16, 2024 withdrawn
MLflow has a Local File Read/Path Traversal bypass High
CVE-2024-3848 was published for mlflow (pip) May 16, 2024
laravel framework SQL Injection via limit and offset functions High
GHSA-wq8p-mqvg-2p5h was published for laravel/framework (Composer) May 15, 2024
laravel framework Unexpected database bindings via requests High
GHSA-jwvj-pwww-3mj5 was published for laravel/framework (Composer) May 15, 2024
Laravel Cookie serialization vulnerability High
GHSA-6jvx-8ch9-j2jr was published for laravel/framework (Composer) May 15, 2024
ProTip! Advisories are also available from the GraphQL API