GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,090
Erlang
29
GitHub Actions
19
Go
1,915
Maven
5,000+
npm
3,646
NuGet
638
pip
3,262
Pub
10
RubyGems
870
Rust
821
Swift
35
Unreviewed advisories
All unreviewed
5,000+
695 advisories
Filter by severity
Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources
High
CVE-2021-25318
was published
for
github.com/rancher/rancher
(Go)
Apr 24, 2024
Account Takeover via Session Fixation in Zitadel [Bypassing MFA]
High
CVE-2024-28197
was published
for
github.com/zitadel/zitadel
(Go)
Mar 11, 2024
registry-support: decompress can delete files outside scope via relative paths
High
CVE-2024-1485
was published
for
github.com/devfile/registry-support/registry-library
(Go)
Feb 14, 2024
Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation
High
CVE-2023-5044
was published
for
k8s.io/ingress-nginx
(Go)
Oct 25, 2023
Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider
High
CVE-2023-22650
was published
for
github.com/rancher/rancher
(Go)
Jun 17, 2024
LocalAI path traversal vulnerability
High
CVE-2024-5182
was published
for
github.com/go-skynet/LocalAI
(Go)
Jun 20, 2024
Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF
High
CVE-2024-23828
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Jan 29, 2024
Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
High
CVE-2024-23656
was published
for
github.com/dexidp/dex
(Go)
Jan 26, 2024
Grafana folders admin only permission privilege escalation
High
CVE-2022-36062
was published
for
github.com/grafana/grafana
(Go)
May 14, 2024
Grafana account takeover via OAuth vulnerability
High
CVE-2022-31107
was published
for
github.com/grafana/grafana
(Go)
May 14, 2024
Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability
High
CVE-2023-44313
was published
for
github.com/apache/servicecomb-service-center
(Go)
Jan 31, 2024
Rancher's Steve API Component Improper authorization check allows privilege escalation
High
CVE-2021-36776
was published
for
github.com/rancher/rancher
(Go)
Apr 24, 2024
Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication
High
CVE-2021-36775
was published
for
github.com/rancher/rancher
(Go)
Apr 24, 2024
Rancher Privilege escalation vulnerability via malicious "Connection" header
High
CVE-2021-31999
was published
for
github.com/rancher/rancher
(Go)
Apr 24, 2024
Helm's Missing YAML Content Leads To Panic
High
CVE-2024-26147
was published
for
helm.sh/helm/v3
(Go)
Feb 22, 2024
Beego privilege escalation vulnerability
High
CVE-2024-40464
was published
for
github.com/beego/beego/v2
(Go)
Jul 31, 2024
projectdiscovery/nuclei allows unsigned code template execution through workflows
High
CVE-2024-40641
was published
for
github.com/projectdiscovery/nuclei/v3
(Go)
Jul 17, 2024
rudder-server is vulnerable to SQL injection
High
CVE-2023-30625
was published
for
github.com/rudderlabs/rudder-server
(Go)
Aug 5, 2024
CasaOS Command Injection vulnerability
High
CVE-2023-37469
was published
for
github.com/IceWhaleTech/CasaOS
(Go)
Aug 5, 2024
Meshery SQL Injection vulnerability
High
CVE-2024-29031
was published
for
github.com/layer5io/meshery
(Go)
Aug 5, 2024
gotortc vulnerable to Cross-Site Request Forgery
High
CVE-2024-29192
was published
for
github.com/AlexxIT/go2rtc
(Go)
Aug 5, 2024
Owncast Cross-Site Request Forgery vulnerability
High
CVE-2024-29026
was published
for
github.com/owncast/owncast
(Go)
Aug 5, 2024
RobotsAndPencils go-saml authentication bypass vulnerability
High
CVE-2023-48703
was published
for
github.com/RobotsAndPencils/go-saml
(Go)
Aug 5, 2024
Duplicate Advisory: Juju leaks of the sensitive context ID
High
GHSA-8c64-q78q-87r6
was published
for
github.com/juju/juju
(Go)
Jul 29, 2024
•
withdrawn
Sliver Allows Authenticated Operator-to-Server Remote Code Execution
High
CVE-2024-41111
was published
for
github.com/bishopfox/sliver
(Go)
Jul 18, 2024
ProTip!
Advisories are also available from the
GraphQL API