Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

3,132 advisories

Loading
happy-dom allows for server side code to be executed by a <script> tag Critical
CVE-2024-51757 was published for happy-dom (npm) Nov 6, 2024
kevin-mizu
Osmedeus Web Server Vulnerable to Stored XSS, Leading to RCE Critical
CVE-2024-51735 was published for github.com/j3ssie/osmedeus (Go) Nov 5, 2024
n00b-bot
CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes Critical
CVE-2024-51501 was published for Refit (NuGet) Nov 4, 2024
sofiaml glennawatson
DOMPurify vulnerable to tampering by prototype polution Critical
CVE-2024-48910 was published for dompurify (npm) Oct 31, 2024
eslerm
NVIDIA Container Toolkit contains a Time-of-check Time-of-Use (TOCTOU) vulnerability Critical
CVE-2024-0132 was published for github.com/NVIDIA/nvidia-container-toolkit (Go) Oct 29, 2024
Waitress has request processing race condition in HTTP pipelining with invalid first request Critical
CVE-2024-49768 was published for waitress (pip) Oct 29, 2024
digitalresistor mmerickel
Withdrawn Advisory: go-mysql affected by go.uuid's Predictable UUID Identifiers Critical
GHSA-rc7v-65v6-m2v3 was published for github.com/go-mysql-org/go-mysql (Go) Oct 28, 2024 withdrawn
Fidget-Grep
Spring Security vulnerable to Authorization Bypass of Static Resources in WebFlux Applications Critical
CVE-2024-38821 was published for org.springframework.security:spring-security-web (Maven) Oct 28, 2024
github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses Critical
GHSA-7h65-4p22-39j6 was published for github.com/crossplane/crossplane (Go) Oct 25, 2024
aditya-mayo
RKE2 allows privilege escalation in Windows nodes due to Insecure Access Control Lists Critical
GHSA-x7xj-jvwp-97rv was published for github.com/rancher/rke2 (Go) Oct 25, 2024
Rancher Remote Code Execution via Cluster/Node Drivers Critical
CVE-2024-22036 was published for github.com/rancher/rancher (Go) Oct 25, 2024
Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists Critical
CVE-2023-32197 was published for github.com/rancher/rancher (Go) Oct 25, 2024
Butterfly has path/URL confusion in resource handling leading to multiple weaknesses Critical
CVE-2024-47883 was published for org.openrefine.dependencies:butterfly (Maven) Oct 24, 2024
Grafana Command Injection And Local File Inclusion Via Sql Expressions Critical
CVE-2024-9264 was published for github.com/grafana/grafana (Go) Oct 18, 2024
Malayke
Duplicate Advisory: Permissive Regular Expression in tacquito Critical
GHSA-j42f-wc6v-5xpq was published for github.com/tacquito/tacquito (Go) Oct 17, 2024 withdrawn
Improper Authentication vulnerability in Apache Solr Critical
CVE-2024-45216 was published for org.apache.solr:solr (Maven) Oct 16, 2024
VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder Critical
CVE-2024-9486 was published for github.com/kubernetes-sigs/image-builder (Go) Oct 15, 2024
changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution Critical
CVE-2024-32651 was published for changedetection.io (pip) Oct 15, 2024
edoardottt dgtlmoon
Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy Critical
CVE-2024-48914 was published for @vendure/asset-server-plugin (npm) Oct 15, 2024
pac4j-core affected by a Java deserialization vulnerability Critical
CVE-2023-25581 was published for org.pac4j:pac4j-core (Maven) Oct 11, 2024
angular-base64-upload vulnerable to unauthenticated remote code execution Critical
CVE-2024-42640 was published for angular-base64-upload (npm) Oct 11, 2024
rvizx
SSOReady has an XML Signature Bypass via differential XML parsing Critical
CVE-2024-47832 was published for github.com/ssoready/ssoready (Go) Oct 11, 2024
ahacker1-securesaml
JSONPath Plus Remote Code Execution (RCE) Vulnerability Critical
CVE-2024-21534 was published for jsonpath-plus (Maven) Oct 11, 2024
jdong10
Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK) Critical
CVE-2024-47561 was published for org.apache.avro:avro (Maven) Oct 3, 2024
dbrugman
Jenkins OpenId Connect Authentication Plugin lacks issuer claim validation Critical
CVE-2024-47807 was published for org.jenkins-ci.plugins:oic-auth (Maven) Oct 2, 2024
ProTip! Advisories are also available from the GraphQL API