GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,273
Erlang
31
GitHub Actions
21
Go
2,055
Maven
5,000+
npm
3,739
NuGet
668
pip
3,417
Pub
12
RubyGems
891
Rust
872
Swift
36
Unreviewed advisories
All unreviewed
5,000+
3,132 advisories
Filter by severity
happy-dom allows for server side code to be executed by a <script> tag
Critical
CVE-2024-51757
was published
for
happy-dom
(npm)
Nov 6, 2024
Osmedeus Web Server Vulnerable to Stored XSS, Leading to RCE
Critical
CVE-2024-51735
was published
for
github.com/j3ssie/osmedeus
(Go)
Nov 5, 2024
CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes
Critical
CVE-2024-51501
was published
for
Refit
(NuGet)
Nov 4, 2024
DOMPurify vulnerable to tampering by prototype polution
Critical
CVE-2024-48910
was published
for
dompurify
(npm)
Oct 31, 2024
NVIDIA Container Toolkit contains a Time-of-check Time-of-Use (TOCTOU) vulnerability
Critical
CVE-2024-0132
was published
for
github.com/NVIDIA/nvidia-container-toolkit
(Go)
Oct 29, 2024
Waitress has request processing race condition in HTTP pipelining with invalid first request
Critical
CVE-2024-49768
was published
for
waitress
(pip)
Oct 29, 2024
Withdrawn Advisory: go-mysql affected by go.uuid's Predictable UUID Identifiers
Critical
GHSA-rc7v-65v6-m2v3
was published
for
github.com/go-mysql-org/go-mysql
(Go)
Oct 28, 2024
•
withdrawn
Spring Security vulnerable to Authorization Bypass of Static Resources in WebFlux Applications
Critical
CVE-2024-38821
was published
for
org.springframework.security:spring-security-web
(Maven)
Oct 28, 2024
github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
Critical
GHSA-7h65-4p22-39j6
was published
for
github.com/crossplane/crossplane
(Go)
Oct 25, 2024
RKE2 allows privilege escalation in Windows nodes due to Insecure Access Control Lists
Critical
GHSA-x7xj-jvwp-97rv
was published
for
github.com/rancher/rke2
(Go)
Oct 25, 2024
Rancher Remote Code Execution via Cluster/Node Drivers
Critical
CVE-2024-22036
was published
for
github.com/rancher/rancher
(Go)
Oct 25, 2024
Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists
Critical
CVE-2023-32197
was published
for
github.com/rancher/rancher
(Go)
Oct 25, 2024
Butterfly has path/URL confusion in resource handling leading to multiple weaknesses
Critical
CVE-2024-47883
was published
for
org.openrefine.dependencies:butterfly
(Maven)
Oct 24, 2024
Grafana Command Injection And Local File Inclusion Via Sql Expressions
Critical
CVE-2024-9264
was published
for
github.com/grafana/grafana
(Go)
Oct 18, 2024
Duplicate Advisory: Permissive Regular Expression in tacquito
Critical
GHSA-j42f-wc6v-5xpq
was published
for
github.com/tacquito/tacquito
(Go)
Oct 17, 2024
•
withdrawn
Improper Authentication vulnerability in Apache Solr
Critical
CVE-2024-45216
was published
for
org.apache.solr:solr
(Maven)
Oct 16, 2024
VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder
Critical
CVE-2024-9486
was published
for
github.com/kubernetes-sigs/image-builder
(Go)
Oct 15, 2024
changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution
Critical
CVE-2024-32651
was published
for
changedetection.io
(pip)
Oct 15, 2024
Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
Critical
CVE-2024-48914
was published
for
@vendure/asset-server-plugin
(npm)
Oct 15, 2024
pac4j-core affected by a Java deserialization vulnerability
Critical
CVE-2023-25581
was published
for
org.pac4j:pac4j-core
(Maven)
Oct 11, 2024
angular-base64-upload vulnerable to unauthenticated remote code execution
Critical
CVE-2024-42640
was published
for
angular-base64-upload
(npm)
Oct 11, 2024
SSOReady has an XML Signature Bypass via differential XML parsing
Critical
CVE-2024-47832
was published
for
github.com/ssoready/ssoready
(Go)
Oct 11, 2024
JSONPath Plus Remote Code Execution (RCE) Vulnerability
Critical
CVE-2024-21534
was published
for
jsonpath-plus
(Maven)
Oct 11, 2024
Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK)
Critical
CVE-2024-47561
was published
for
org.apache.avro:avro
(Maven)
Oct 3, 2024
Jenkins OpenId Connect Authentication Plugin lacks issuer claim validation
Critical
CVE-2024-47807
was published
for
org.jenkins-ci.plugins:oic-auth
(Maven)
Oct 2, 2024
ProTip!
Advisories are also available from the
GraphQL API