Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,413
Erlang
28
GitHub Actions
16
Go
1,653
Maven
4,915
npm
3,441
NuGet
594
pip
2,821
Pub
10
RubyGems
823
Rust
762
Swift
34
Unreviewed advisories
All unreviewed
5,000+

18,294 advisories

xml-crypto vulnerable to XML signature verification bypass due improper verification of signature/signature spoofing Critical
CVE-2024-32962 was published for xml-crypto (npm) May 1, 2024
Yamux Memory Exhaustion Vulnerability via Active::pending_frames property High
CVE-2024-32984 was published for yamux (Rust) May 1, 2024
jxs marten-seemann
AgeManning
XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets Low
CVE-2024-31573 was published for org.xmlunit:xmlunit-core (Maven) May 1, 2024
c1gar
static-web-server vulnerable to stored Cross-site Scripting in directory listings via file names Moderate
CVE-2024-32966 was published for static-web-server (Rust) May 1, 2024
palant joseluisq
Phlex vulnerable to Cross-site Scripting (XSS) via maliciously formed HTML attribute names and values High
CVE-2024-32970 was published for phlex (RubyGems) May 1, 2024
joeldrapper
Zitadel exposing internal database user name and host information Moderate
CVE-2024-32967 was published for github.com/zitadel/zitadel (Go) May 1, 2024
stiwari99 fforootd
livio-a
Wagtail has permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet` Low
CVE-2024-32882 was published for wagtail (pip) May 1, 2024
jams2 Morsey187
RealOrangeOne laymonage
Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation High
CVE-2023-36821 was published for uptime-kuma (npm) May 1, 2024
n-thumann
Uptime Kuma's authenticated path traversal via plugin repository name may lead to unavailability or data loss Moderate
CVE-2023-36822 was published for uptime-kuma (npm) May 1, 2024
n-thumann
nautobot has reflected Cross-site Scripting potential in all object list views High
CVE-2024-32979 was published for nautobot (pip) May 1, 2024
michaelpanorios
Navidrome Parameter Tampering vulnerability Moderate
CVE-2024-32963 was published for github.com/navidrome/navidrome (Go) May 1, 2024
viliald
Duplicate Advisory: sqlparse parsing heavily nested list leads to Denial of Service High
GHSA-62qf-jcq8-8gxw was published for sqlparse (pip) Apr 30, 2024 withdrawn
CRI-O vulnerable to an arbitrary systemd property injection High
CVE-2024-3154 was published for github.com/cri-o/cri-o (Go) Apr 30, 2024
AkihiroSuda cclerget
ejs lacks certain pollution protection Moderate
CVE-2024-33883 was published for ejs (npm) Apr 28, 2024
Lavalite CMS Cross Site Scripting vulnerability Moderate
CVE-2024-31828 was published for lavalite/cms (Composer) Apr 27, 2024
Sidekiq vulnerable to a Reflected XSS in Queues Web Page Moderate
CVE-2024-32887 was published for sidekiq (RubyGems) Apr 26, 2024
UmerAdeemCheema
Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences Moderate
CVE-2024-32476 was published for github.com/argoproj/argo-cd/v2 (Go) Apr 26, 2024
crenshaw-dev
Mattermost allows team admins to promote guests to team admins Low
CVE-2024-4195 was published for github.com/mattermost/mattermost-server (Go) Apr 26, 2024
Mattermost's detailed error messages reveal the full file path Moderate
CVE-2024-32046 was published for github.com/mattermost/mattermost-server (Go) Apr 26, 2024
Mattermost crashes web clients via a malformed custom status Moderate
CVE-2024-4182 was published for github.com/mattermost/mattermost-server (Go) Apr 26, 2024
Mattermost fails to limit the number of active sessions Moderate
CVE-2024-4183 was published for github.com/mattermost/mattermost-server (Go) Apr 26, 2024
Mattermost fails to fully validate role changes Low
CVE-2024-4198 was published for github.com/mattermost/mattermost-server (Go) Apr 26, 2024
Mattermost fails to limit the size of a request path Low
CVE-2024-22091 was published for github.com/mattermost/mattermost-server (Go) Apr 26, 2024
Withdrawn: Runc allows an arbitrary systemd property to be injected High
GHSA-c5pj-mqfh-rvc3 was published for github.com/opencontainers/runc (Go) Apr 26, 2024 withdrawn
AkihiroSuda
Passbolt API allows HTML injection Moderate
CVE-2024-33670 was published for passbolt/passbolt_api (Composer) Apr 26, 2024
ProTip! Advisories are also available from the GraphQL API