Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,077
Erlang
29
GitHub Actions
19
Go
1,903
Maven
5,000+
npm
3,632
NuGet
638
pip
3,249
Pub
10
RubyGems
864
Rust
818
Swift
35
Unreviewed advisories
All unreviewed
5,000+

7,021 advisories

Loading
Apache Airflow vulnerable to Improper Encoding or Escaping of Output High
CVE-2024-45498 was published for apache-airflow (pip) Sep 7, 2024
Default installation of `synthetic-monitoring-agent` exposes sensitive information High
CVE-2022-46156 was published for github.com/grafana/synthetic-monitoring-agent (Go) Sep 6, 2024
iamwillbar
HTML injection in JupyterLite leading to DOM Clobbering High
GHSA-gj55-2xf9-67rq was published for jupyterlite-core (pip) Sep 6, 2024
ishmeals jackfromeast
XXE vulnerability in XSLT transforms in `org.hl7.fhir.core` High
CVE-2024-45294 was published for ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may (Maven) Sep 6, 2024
qligier
Interchain Security: The signers of ICS messages do not need to match the provider address High
GHSA-7q74-g774-7x3g was published for github.com/cosmos/interchain-security (Go) Sep 5, 2024
ic-cdk has a memory leak when calling a canister method via `ic_cdk::call` High
CVE-2024-7884 was published for ic_cdk (Rust) Sep 5, 2024
adamspofford-dfinity
Path traversal vulnerability in stripe-cli High
CVE-2024-45401 was published for github.com/stripe/stripe-cli (Go) Sep 5, 2024
Nuclei Template Signature Verification Bypass High
CVE-2024-43405 was published for github.com/projectdiscovery/nuclei (Go) Sep 4, 2024
GuyGoldenberg
Missing connection timeout in Aardvark-dns High
CVE-2024-8418 was published for aardvark-dns (Rust) Sep 4, 2024
olm-sys: wrapped library unmaintained, potentially vulnerable High
GHSA-p2q9-36vw-c468 was published for olm-sys (Rust) Sep 3, 2024
Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) High
CVE-2024-45388 was published for github.com/spectolabs/hoverfly (Go) Sep 3, 2024
pwntester
@actions/download-artifact has an Arbitrary File Write via artifact extraction High
GHSA-cxww-7g56-2vh6 was published for actions/download-artifact (GitHub Actions) Sep 3, 2024
holmanb
Denial of service in quinn-proto when using `Endpoint::retry()` High
CVE-2024-45311 was published for quinn-proto (Rust) Sep 3, 2024
finnbear BiagioFesta
@actions/artifact has an Arbitrary File Write via artifact extraction High
CVE-2024-42471 was published for @actions/artifact (npm) Sep 3, 2024
JLHwung
Pimcore includes vulnerable PHPOffice/PhpSpreadsheet High
GHSA-hq76-662x-7mw4 was published for pimcore/admin-ui-classic-bundle (Composer) Sep 3, 2024
ShawnRong-JJ
@blakeembrey/template vulnerable to code injection when attacker controls template input High
CVE-2024-45390 was published for @blakeembrey/template (npm) Sep 3, 2024
mcoimbra filipeom
Tina search token leak via lock file in TinaCMS High
CVE-2024-45391 was published for @tinacms/cli (npm) Sep 3, 2024
kldavis4 mattsbennett
Missing hostname validation in Kroxylicious High
CVE-2024-8285 was published for io.kroxylicious:kroxylicious-runtime (Maven) Aug 31, 2024
`spam` project on PyPI compromised, malicious releases made High
GHSA-2r6g-7r83-jg72 was published for spam (pip) Aug 30, 2024
opencv-python bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863 High
GHSA-qr4w-53vh-m672 was published for opencv-python (pip) Aug 30, 2024
opencv-contrib-python bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863 High
GHSA-cxjf-x6jp-p7mc was published for opencv-contrib-python (pip) Aug 30, 2024
opencv-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863 High
GHSA-jh2j-j4j9-crg3 was published for opencv-python-headless (pip) Aug 30, 2024
opencv-contrib-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863 High
GHSA-w2pj-9cgh-mq2c was published for opencv-contrib-python-headless (pip) Aug 30, 2024
gratient 0.5 contains credential harvesting code High
GHSA-xm4r-5rj9-2pg3 was published for gratient (pip) Aug 30, 2024
`exotel` project on PyPI compromised, malicious release made High
GHSA-x6xg-3fj2-4pq3 was published for exotel (pip) Aug 30, 2024
ProTip! Advisories are also available from the GraphQL API