Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,968
Erlang
29
GitHub Actions
16
Go
1,752
Maven
4,982
npm
3,516
NuGet
609
pip
3,090
Pub
10
RubyGems
832
Rust
782
Swift
34
Unreviewed advisories
All unreviewed
5,000+

178 advisories

Loading
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system Critical
CVE-2023-25168 was published for github.com/pterodactyl/wings (Go) Feb 10, 2023
T4x0r
HashiCorp go-getter command injection Critical
CVE-2022-26945 was published for github.com/hashicorp/go-getter (Go) May 26, 2022
gosqljson SQL Injection vulnerability Critical
CVE-2014-125064 was published for github.com/elgs/gosqljson (Go) Jan 7, 2023
crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication Critical
CVE-2022-41912 was published for github.com/crewjam/saml (Go) Nov 29, 2022
JWT audience claim is not verified Critical
CVE-2023-22482 was published for github.com/argoproj/argo-cd (Go) Jan 25, 2023
farcaller
Authorization bypass in Openshift Critical
CVE-2016-1906 was published for github.com/openshift/origin (Go) Dec 20, 2021
Off-by-one Error in v2fly/v2ray-core Critical
CVE-2021-4070 was published for github.com/v2fly/v2ray-core (Go) Feb 24, 2022
TiDB vulnerable to Use of Externally-Controlled Format String Critical
CVE-2022-3023 was published for github.com/pingcap/tidb (Go) Nov 4, 2022
dwisiswant0
usememos/memos Cross-site Scripting vulnerability Critical
CVE-2022-4865 was published for github.com/usememos/memos (Go) Dec 31, 2022
gorilla/handlers may allow requester to bypass expected behavior of the Same Origin Policy Critical
CVE-2017-20146 was published for github.com/gorilla/handlers (Go) Dec 28, 2022
usememos/memos vulnerable to Cross-site Scripting Critical
CVE-2022-4866 was published for github.com/usememos/memos (Go) Dec 31, 2022
golang-nanoauth authentication bypass vulnerability Critical
CVE-2020-36569 was published for github.com/nanobox-io/golang-nanoauth (Go) Dec 28, 2022
andrewpollock
HashiCorp Vault vulnerable to incorrect metadata access Critical
CVE-2022-40186 was published for github.com/hashicorp/vault (Go) Sep 23, 2022
Improper kubeconfig validation allows arbitrary code execution Critical
CVE-2022-24817 was published for github.com/fluxcd/flux2 (Go) May 16, 2022
pjbgf
Gogs vulnerable to Cross-site Scripting Critical
CVE-2022-32174 was published for gogs.io/gogs (Go) Oct 11, 2022
Authentication Bypass in dex Critical
CVE-2020-27847 was published for github.com/dexidp/dex (Go) Dec 20, 2021
Git LFS can execute a Git binary from the current directory Critical
CVE-2020-27955 was published for github.com/git-lfs/git-lfs (Go) Feb 11, 2022
dawidgolunski
Authentication Bypass in tyk-identity-broker Critical
CVE-2021-23365 was published for github.com/tyktechnologies/tyk-identity-broker (Go) Jun 23, 2021
Path Traversal in Dutchcoders transfer.sh Critical
CVE-2021-33497 was published for github.com/dutchcoders/transfer.sh (Go) Jun 29, 2021
Improper path handling in kustomization files allows path traversal Critical
CVE-2022-24877 was published for github.com/fluxcd/flux2 (Go) May 4, 2022
hiddeco kurt-r2c
Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials Critical
CVE-2021-36782 was published for github.com/rancher/rancher (Go) Sep 23, 2022
Gitea vulnerable to Argument Injection Critical
CVE-2022-42968 was published for github.com/go-gitea/gitea (Go) Oct 16, 2022
HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0 Critical
CVE-2021-38553 was published for github.com/hashicorp/vault (Go) Aug 30, 2021
avivdolev
Gin-vue-admin subject to Remote Code Execution via file upload vulnerability Critical
CVE-2022-39345 was published for github.com/flipped-aurora/gin-vue-admin/server (Go) Oct 25, 2022
0xngs
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys Critical
CVE-2023-22463 was published for github.com/KubeOperator/kubepi (Go) Jan 6, 2023
ProTip! Advisories are also available from the GraphQL API