GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,444
Erlang
29
GitHub Actions
16
Go
1,668
Maven
4,928
npm
3,458
NuGet
595
pip
2,876
Pub
10
RubyGems
823
Rust
766
Swift
34
Unreviewed advisories
All unreviewed
5,000+
1,009 advisories
Filter by severity
Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel
Low
CVE-2024-34349
was published
for
sylius/sylius
(Composer)
May 10, 2024
thelounge may publicly disclose of all usernames/idents via port 113
Low
GHSA-g49q-jw42-6x85
was published
for
thelounge
(npm)
May 9, 2024
Kimai information disclosure vulnerability
Low
CVE-2024-4596
was published
for
kimai/kimai
(Composer)
May 7, 2024
vodozemac has degraded secret zeroization capabilities
Low
CVE-2024-34063
was published
for
vodozemac
(Rust)
May 3, 2024
Bouncy Castle Java Cryptography API vulnerable to DNS poisoning
Low
CVE-2024-34447
was published
for
org.bouncycastle:bcprov-jdk12
(Maven)
May 3, 2024
Firebase vulnerable to CRSF attack
Low
CVE-2024-4128
was published
for
firebase-tools
(npm)
May 2, 2024
Jenkins Telegram Bot Plugin stores the Telegram Bot token in plaintext
Low
CVE-2024-34147
was published
for
org.jenkins-ci.plugins:telegrambot
(Maven)
May 2, 2024
XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets
Low
CVE-2024-31573
was published
for
org.xmlunit:xmlunit-core
(Maven)
May 1, 2024
Wagtail has permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet`
Low
CVE-2024-32882
was published
for
wagtail
(pip)
May 1, 2024
Mattermost allows team admins to promote guests to team admins
Low
CVE-2024-4195
was published
for
github.com/mattermost/mattermost-server
(Go)
Apr 26, 2024
Mattermost fails to fully validate role changes
Low
CVE-2024-4198
was published
for
github.com/mattermost/mattermost-server
(Go)
Apr 26, 2024
Mattermost fails to limit the size of a request path
Low
CVE-2024-22091
was published
for
github.com/mattermost/mattermost-server
(Go)
Apr 26, 2024
CosmWasm affected by arithmetic overflows
Low
GHSA-8724-5xmm-w5xq
was published
for
cosmwasm-std
(Rust)
Apr 24, 2024
Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin
Low
CVE-2024-3177
was published
for
k8s.io/kubernetes
(Go)
Apr 23, 2024
JADX file override vulnerability
Low
GHSA-hvp5-5x4f-33fq
was published
for
io.github.skylot:jadx-core
(Maven)
Apr 22, 2024
Authelia's Group Changes may not have the expected results (YAML file backend)
Low
GHSA-x883-2vmg-xwf7
was published
for
github.com/authelia/authelia/v4
(Go)
Apr 22, 2024
Enabling Authentication does not close all logged in socket connections immediately
Low
GHSA-23q2-5gf8-gjpp
was published
for
uptime-kuma
(npm)
Apr 19, 2024
1Panel's password verification is suspected to have a timing attack vulnerability
Low
CVE-2024-30257
was published
for
github.com/1Panel-dev/1Panel
(Go)
Apr 18, 2024
Prototype pollution in emit function
Low
GHSA-82jv-9wjw-pqh6
was published
for
derby
(npm)
Apr 17, 2024
Keycloak vulnerable to impersonation via logout token exchange
Low
CVE-2023-0657
was published
for
org.keycloak:keycloak-services
(Maven)
Apr 17, 2024
MSAL.NET applications targeting Xamarin Android and .NET Android (MAUI) susceptible to local denial of service
Low
CVE-2024-27086
was published
for
Microsoft.Identity.Client
(NuGet)
Apr 16, 2024
SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used
Low
CVE-2024-32001
was published
for
github.com/authzed/spicedb
(Go)
Apr 10, 2024
Transformers Deserialization of Untrusted Data vulnerability
Low
CVE-2024-3568
was published
for
transformers
(pip)
Apr 10, 2024
Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output
Low
GHSA-j5vm-7qcc-2wwg
was published
for
github.com/kopia/kopia
(Go)
Apr 10, 2024
ProTip!
Advisories are also available from the
GraphQL API