GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,055
Erlang
29
GitHub Actions
19
Go
1,889
Maven
5,000+
npm
3,605
NuGet
638
pip
3,208
Pub
10
RubyGems
852
Rust
816
Swift
35
Unreviewed advisories
All unreviewed
5,000+
78 advisories
Filter by severity
Argo CD improper access control bug can allow malicious user to escalate privileges to admin level
High
CVE-2022-1025
was published
for
github.com/argoproj/argo-cd
(Go)
Jul 13, 2022
gomatrixserverlib and Dendrite vulnerable to incorrect parsing of the event default power level in event auth
Moderate
CVE-2022-36009
was published
for
github.com/matrix-org/dendrite
(Go)
Aug 30, 2022
Broken Authorization in ZITADEL Actions
High
CVE-2022-36051
was published
for
github.com/zitadel/zitadel
(Go)
Aug 30, 2022
Buildah's incorrect handling of the supplementary groups may lead to data disclosure, modification
High
CVE-2022-2990
was published
for
github.com/containers/buildah
(Go)
Sep 14, 2022
Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification
High
CVE-2022-2989
was published
for
github.com/containers/podman/v3
(Go)
Sep 14, 2022
Talos worker join token can be used to get elevated access level to the Talos API
High
CVE-2022-36103
was published
for
github.com/talos-systems/talos
(Go)
Sep 16, 2022
Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions
Moderate
CVE-2022-36109
was published
for
github.com/docker/docker
(Go)
Sep 16, 2022
Team scope authorization bypass when Post/Put request with :team_name in body, allows HTTP parameter pollution
Moderate
CVE-2022-31683
was published
for
github.com/concourse/concourse
(Go)
Oct 19, 2022
OpenFGA subject to Information Disclosure via streamed-list-objects endpoint
Moderate
CVE-2022-39340
was published
for
github.com/openfga/openfga
(Go)
Oct 25, 2022
OpenFGA Authorization Bypass
Moderate
CVE-2022-39342
was published
for
github.com/openfga/openfga
(Go)
Oct 25, 2022
OpenFGA Authorization Bypass via tupleset wildcard
Moderate
CVE-2022-39341
was published
for
github.com/openfga/openfga
(Go)
Oct 25, 2022
OpenFGA Authorization Bypass
Moderate
CVE-2022-39352
was published
for
github.com/openfga/openfga
(Go)
Nov 8, 2022
Istio may allow identity impersonation if user has localhost access
High
CVE-2022-39388
was published
for
github.com/istio/istio
(Go)
Nov 9, 2022
Capsule vulnerable to privilege escalation by ServiceAccount deployed in a Tenant Namespace
High
CVE-2022-46167
was published
for
github.com/clastix/capsule
(Go)
Dec 5, 2022
AAD Pod Identity obtaining token with backslash
Moderate
CVE-2022-23551
was published
for
github.com/Azure/aad-pod-identity
(Go)
Dec 21, 2022
destiny.gg chat vulnerable to cross-site request forgery
High
CVE-2020-36625
was published
for
github.com/destinygg/chat
(Go)
Dec 22, 2022
usememos/memos Improper Authorization vulnerability
Moderate
CVE-2022-4811
was published
for
github.com/usememos/memos
(Go)
Dec 28, 2022
KubeOperator allows unauthorized access to system API
High
CVE-2023-22480
was published
for
github.com/KubeOperator/KubeOperator
(Go)
Jan 9, 2023
JWT audience claim is not verified
Critical
CVE-2023-22482
was published
for
github.com/argoproj/argo-cd
(Go)
Jan 25, 2023
Supplementary groups are not set up properly in github.com/containerd/containerd
Moderate
CVE-2023-25173
was published
for
github.com/containerd/containerd
(Go)
Feb 16, 2023
Users with any cluster secret update access may update out-of-bounds cluster secrets
Critical
CVE-2023-23947
was published
for
github.com/argoproj/argo-cd
(Go)
Feb 16, 2023
Privilege escalation in MOSN
Critical
CVE-2021-32163
was published
for
mosn.io/mosn
(Go)
Feb 17, 2023
On a compromised node, the virt-handler service account can be used to modify all node specs
High
CVE-2023-26484
was published
for
kubevirt.io/kubevirt
(Go)
Mar 16, 2023
Potential network policy bypass when routing IPv6 traffic
Moderate
CVE-2023-27594
was published
for
github.com/cilium/cilium
(Go)
Mar 17, 2023
On a compromised node, the fluid-csi service account can be used to modify node specs
Moderate
CVE-2023-30840
was published
for
github.com/fluid-cloudnative/fluid
(Go)
May 9, 2023
ProTip!
Advisories are also available from the
GraphQL API