GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,413
Erlang
28
GitHub Actions
16
Go
1,653
Maven
4,915
npm
3,441
NuGet
594
pip
2,821
Pub
10
RubyGems
823
Rust
762
Swift
34
Unreviewed advisories
All unreviewed
5,000+
18,294 advisories
Filter by severity
xml-crypto vulnerable to XML signature verification bypass due improper verification of signature/signature spoofing Critical
CVE-2024-32962 was published for xml-crypto (npm)
May 1, 2024
Yamux Memory Exhaustion Vulnerability via Active::pending_frames property High
CVE-2024-32984 was published for yamux (Rust)
May 1, 2024
XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets Low
CVE-2024-31573 was published for org.xmlunit:xmlunit-core (Maven)
May 1, 2024
static-web-server vulnerable to stored Cross-site Scripting in directory listings via file names Moderate
CVE-2024-32966 was published for static-web-server (Rust)
May 1, 2024
Phlex vulnerable to Cross-site Scripting (XSS) via maliciously formed HTML attribute names and values High
CVE-2024-32970 was published for phlex (RubyGems)
May 1, 2024
Zitadel exposing internal database user name and host information Moderate
CVE-2024-32967 was published for github.com/zitadel/zitadel (Go)
May 1, 2024
Wagtail has permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet` Low
CVE-2024-32882 was published for wagtail (pip)
May 1, 2024
Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation High
CVE-2023-36821 was published for uptime-kuma (npm)
May 1, 2024
Uptime Kuma's authenticated path traversal via plugin repository name may lead to unavailability or data loss Moderate
CVE-2023-36822 was published for uptime-kuma (npm)
May 1, 2024
nautobot has reflected Cross-site Scripting potential in all object list views High
CVE-2024-32979 was published for nautobot (pip)
May 1, 2024
Navidrome Parameter Tampering vulnerability Moderate
CVE-2024-32963 was published for github.com/navidrome/navidrome (Go)
May 1, 2024
Duplicate Advisory: sqlparse parsing heavily nested list leads to Denial of Service High
GHSA-62qf-jcq8-8gxw was published for sqlparse (pip)
Apr 30, 2024
• withdrawn
CRI-O vulnerable to an arbitrary systemd property injection High
CVE-2024-3154 was published for github.com/cri-o/cri-o (Go)
Apr 30, 2024
ejs lacks certain pollution protection Moderate
CVE-2024-33883 was published for ejs (npm)
Apr 28, 2024
Lavalite CMS Cross Site Scripting vulnerability Moderate
CVE-2024-31828 was published for lavalite/cms (Composer)
Apr 27, 2024
Sidekiq vulnerable to a Reflected XSS in Queues Web Page Moderate
CVE-2024-32887 was published for sidekiq (RubyGems)
Apr 26, 2024
Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences Moderate
CVE-2024-32476 was published for github.com/argoproj/argo-cd/v2 (Go)
Apr 26, 2024
Mattermost allows team admins to promote guests to team admins Low
CVE-2024-4195 was published for github.com/mattermost/mattermost-server (Go)
Apr 26, 2024
Mattermost's detailed error messages reveal the full file path Moderate
CVE-2024-32046 was published for github.com/mattermost/mattermost-server (Go)
Apr 26, 2024
Mattermost crashes web clients via a malformed custom status Moderate
CVE-2024-4182 was published for github.com/mattermost/mattermost-server (Go)
Apr 26, 2024
Mattermost fails to limit the number of active sessions Moderate
CVE-2024-4183 was published for github.com/mattermost/mattermost-server (Go)
Apr 26, 2024
Mattermost fails to fully validate role changes Low
CVE-2024-4198 was published for github.com/mattermost/mattermost-server (Go)
Apr 26, 2024
Mattermost fails to limit the size of a request path Low
CVE-2024-22091 was published for github.com/mattermost/mattermost-server (Go)
Apr 26, 2024
Withdrawn: Runc allows an arbitrary systemd property to be injected High
GHSA-c5pj-mqfh-rvc3 was published for github.com/opencontainers/runc (Go)
Apr 26, 2024
• withdrawn
Passbolt API allows HTML injection Moderate
CVE-2024-33670 was published for passbolt/passbolt_api (Composer)
Apr 26, 2024
ProTip! Advisories are also available from the GraphQL API