GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,996
Erlang
29
GitHub Actions
16
Go
1,782
Maven
5,000+
npm
3,545
NuGet
620
pip
3,136
Pub
10
RubyGems
838
Rust
795
Swift
34
Unreviewed advisories
All unreviewed
5,000+
19,583 advisories
Filter by severity
fast-xml-parser vulnerable to ReDOS at currency parsing
High
CVE-2024-41818
was published
for
fast-xml-parser
(npm)
Jul 29, 2024
Twisted vulnerable to HTML injection in HTTP redirect body
Moderate
CVE-2024-41810
was published
for
twisted
(pip)
Jul 29, 2024
tgstation-server's DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users
High
CVE-2024-41799
was published
for
Tgstation.Server.Api
(NuGet)
Jul 29, 2024
Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs
Moderate
CVE-2024-41676
was published
for
openmage/magento-lts
(Composer)
Jul 29, 2024
twisted.web has disordered HTTP pipeline response
High
CVE-2024-41671
was published
for
twisted
(pip)
Jul 29, 2024
Admidio Vulnerable to RCE via Arbitrary File Upload in Message Attachment
Critical
CVE-2024-38529
was published
for
admidio/admidio
(Composer)
Jul 29, 2024
Admidio has Blind SQL Injection in ecard_send.php
Critical
CVE-2024-37906
was published
for
admidio/admidio
(Composer)
Jul 29, 2024
RaspAP allows an attacker to escalate privileges
Critical
CVE-2024-41637
was published
for
billz/raspap-webgui
(Composer)
Jul 29, 2024
Starship vulnerable to shell injection via undocumented, unpredictable shell expansion in custom commands
High
CVE-2024-41815
was published
for
starship
(Rust)
Jul 26, 2024
XMP Toolkit's `XmpFile::close` can trigger undefined behavior
Low
GHSA-66fw-43h8-f8p3
was published
for
xmp_toolkit
(Rust)
Jul 26, 2024
Reflected Cross Site-Scripting (XSS) in Oveleon Cookiebar
Moderate
GHSA-296q-rj83-g9rq
was published
for
oveleon/contao-cookiebar
(Composer)
Jul 26, 2024
Elasticsearch Insertion of Sensitive Information into Log File
Moderate
CVE-2023-49921
was published
for
org.elasticsearch:elasticsearch
(Maven)
Jul 26, 2024
snapd failed to properly check the destination of symbolic links when extracting a snap
Moderate
CVE-2024-29069
was published
for
github.com/snapcore/snapd
(Go)
Jul 25, 2024
snapd failed to properly check the file type when extracting a snap
Moderate
CVE-2024-29068
was published
for
github.com/snapcore/snapd
(Go)
Jul 25, 2024
snapd failed to restrict writes to the $HOME/bin path
Moderate
CVE-2024-1724
was published
for
github.com/snapcore/snapd
(Go)
Jul 25, 2024
Craft CMS Allows TOTP Token To Stay Valid After Use
Moderate
CVE-2024-41800
was published
for
craftcms/cms
(Composer)
Jul 25, 2024
The kstring integration in gix-attributes is unsound
Low
GHSA-cx7h-h87r-jpgr
was published
for
gix-attributes
(Rust)
Jul 25, 2024
OpenAM FreeMarker template injection
High
CVE-2024-41667
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jul 25, 2024
Remote code execution in Spring Cloud Data Flow
Critical
CVE-2024-37084
was published
for
org.springframework.cloud:spring-cloud-skipper
(Maven)
Jul 25, 2024
Dolibarr ERP CRM vulnerable to remote code execution (RCE)
High
CVE-2024-40137
was published
for
dolibarr/dolibarr
(Composer)
Jul 24, 2024
The Argo CD web terminal session does not handle the revocation of user permissions properly
Moderate
CVE-2024-41666
was published
for
github.com/argoproj/argo-cd
(Go)
Jul 24, 2024
Apache Pinot: Unauthorized endpoint exposed sensitive information
High
CVE-2024-39676
was published
for
org.apache.pinot:pinot-controller
(Maven)
Jul 24, 2024
XML External Entity Reference (XXE) in the XML Format Plugin in Apache Drill
Moderate
CVE-2023-48362
was published
for
org.apache.drill.exec:drill-java-exec
(Maven)
Jul 24, 2024
OpenStack Nova vulnerable to unauthorized access to potentially sensitive data
Moderate
CVE-2024-40767
was published
for
Nova
(pip)
Jul 24, 2024
Sentry vulnerable to stored Cross-Site Scripting (XSS)
High
CVE-2024-41656
was published
for
sentry
(pip)
Jul 23, 2024
ProTip!
Advisories are also available from the
GraphQL API