GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,968
Erlang
29
GitHub Actions
16
Go
1,752
Maven
4,982
npm
3,516
NuGet
609
pip
3,090
Pub
10
RubyGems
832
Rust
782
Swift
34
Unreviewed advisories
All unreviewed
5,000+
178 advisories
Filter by severity
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system
Critical
CVE-2023-25168
was published
for
github.com/pterodactyl/wings
(Go)
Feb 10, 2023
HashiCorp go-getter command injection
Critical
CVE-2022-26945
was published
for
github.com/hashicorp/go-getter
(Go)
May 26, 2022
gosqljson SQL Injection vulnerability
Critical
CVE-2014-125064
was published
for
github.com/elgs/gosqljson
(Go)
Jan 7, 2023
crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication
Critical
CVE-2022-41912
was published
for
github.com/crewjam/saml
(Go)
Nov 29, 2022
JWT audience claim is not verified
Critical
CVE-2023-22482
was published
for
github.com/argoproj/argo-cd
(Go)
Jan 25, 2023
Authorization bypass in Openshift
Critical
CVE-2016-1906
was published
for
github.com/openshift/origin
(Go)
Dec 20, 2021
Off-by-one Error in v2fly/v2ray-core
Critical
CVE-2021-4070
was published
for
github.com/v2fly/v2ray-core
(Go)
Feb 24, 2022
TiDB vulnerable to Use of Externally-Controlled Format String
Critical
CVE-2022-3023
was published
for
github.com/pingcap/tidb
(Go)
Nov 4, 2022
usememos/memos Cross-site Scripting vulnerability
Critical
CVE-2022-4865
was published
for
github.com/usememos/memos
(Go)
Dec 31, 2022
gorilla/handlers may allow requester to bypass expected behavior of the Same Origin Policy
Critical
CVE-2017-20146
was published
for
github.com/gorilla/handlers
(Go)
Dec 28, 2022
usememos/memos vulnerable to Cross-site Scripting
Critical
CVE-2022-4866
was published
for
github.com/usememos/memos
(Go)
Dec 31, 2022
golang-nanoauth authentication bypass vulnerability
Critical
CVE-2020-36569
was published
for
github.com/nanobox-io/golang-nanoauth
(Go)
Dec 28, 2022
HashiCorp Vault vulnerable to incorrect metadata access
Critical
CVE-2022-40186
was published
for
github.com/hashicorp/vault
(Go)
Sep 23, 2022
Improper kubeconfig validation allows arbitrary code execution
Critical
CVE-2022-24817
was published
for
github.com/fluxcd/flux2
(Go)
May 16, 2022
Gogs vulnerable to Cross-site Scripting
Critical
CVE-2022-32174
was published
for
gogs.io/gogs
(Go)
Oct 11, 2022
Authentication Bypass in dex
Critical
CVE-2020-27847
was published
for
github.com/dexidp/dex
(Go)
Dec 20, 2021
Git LFS can execute a Git binary from the current directory
Critical
CVE-2020-27955
was published
for
github.com/git-lfs/git-lfs
(Go)
Feb 11, 2022
Authentication Bypass in tyk-identity-broker
Critical
CVE-2021-23365
was published
for
github.com/tyktechnologies/tyk-identity-broker
(Go)
Jun 23, 2021
Path Traversal in Dutchcoders transfer.sh
Critical
CVE-2021-33497
was published
for
github.com/dutchcoders/transfer.sh
(Go)
Jun 29, 2021
Improper path handling in kustomization files allows path traversal
Critical
CVE-2022-24877
was published
for
github.com/fluxcd/flux2
(Go)
May 4, 2022
Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
Critical
CVE-2021-36782
was published
for
github.com/rancher/rancher
(Go)
Sep 23, 2022
Gitea vulnerable to Argument Injection
Critical
CVE-2022-42968
was published
for
github.com/go-gitea/gitea
(Go)
Oct 16, 2022
HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0
Critical
CVE-2021-38553
was published
for
github.com/hashicorp/vault
(Go)
Aug 30, 2021
Gin-vue-admin subject to Remote Code Execution via file upload vulnerability
Critical
CVE-2022-39345
was published
for
github.com/flipped-aurora/gin-vue-admin/server
(Go)
Oct 25, 2022
KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys
Critical
CVE-2023-22463
was published
for
github.com/KubeOperator/kubepi
(Go)
Jan 6, 2023
ProTip!
Advisories are also available from the
GraphQL API