GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,055
Erlang
29
GitHub Actions
19
Go
1,889
Maven
5,000+
npm
3,605
NuGet
638
pip
3,208
Pub
10
RubyGems
852
Rust
816
Swift
35
Unreviewed advisories
All unreviewed
5,000+
362 advisories
Filter by severity
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.
Moderate
CVE-2021-38698
was published
for
github.com/hashicorp/consul
(Go)
Sep 8, 2021
Incorrect Authorization with specially crafted requests
High
CVE-2021-39206
was published
for
github.com/pomerium/pomerium
(Go)
Sep 10, 2021
Deno's static imports inside dynamically imported modules do not adhere to permission checks
Critical
CVE-2021-32619
was published
for
deno
(Rust)
Sep 23, 2021
Druid ingestion system Authenticated users can read data from other sources than intended
Moderate
CVE-2021-36749
was published
for
org.apache.druid:druid-core
(Maven)
Sep 27, 2021
Improper Authorization in Google OAuth Client
High
CVE-2020-7692
was published
for
com.google.oauth-client:google-oauth-client
(Maven)
Sep 28, 2021
Improper Access Control in Webauthn Framework
Critical
CVE-2021-38299
was published
for
web-auth/webauthn-framework
(Composer)
Sep 29, 2021
Cobbler before 3.3.0 allows authorization bypass for modification of settings.
High
CVE-2021-40325
was published
for
cobbler
(pip)
Oct 5, 2021
BuddyPress privilege escalation via REST API
High
CVE-2021-21389
was published
for
buddypress/buddypress
(Composer)
Oct 6, 2021
Incorrect Privilege Assignment in HashiCorp Vault
High
CVE-2021-42135
was published
for
github.com/hashicorp/vault
(Go)
Oct 12, 2021
SilverStripe GraphQL Server permission checker not inherited by query subclass.
Moderate
CVE-2021-28661
was published
for
silverstripe/graphql
(Composer)
Oct 12, 2021
Communities and collections administrators can escalate their privilege up to system administrator
High
CVE-2021-41189
was published
for
org.dspace:dspace-api
(Maven)
Nov 1, 2021
Publify `guest` role users can self-register even when the admin does not allow it
Moderate
CVE-2021-25973
was published
for
publify_core
(RubyGems)
Nov 3, 2021
OIDC claims not updated from Identity Provider in Pomerium
Moderate
CVE-2021-41230
was published
for
github.com/pomerium/pomerium
(Go)
Nov 10, 2021
Request injection in Spring Cloud Gateway
Moderate
CVE-2021-22051
was published
for
org.springframework.cloud:spring-cloud-gateway
(Maven)
Nov 10, 2021
Incorrect Authorization in Apache Ozone
Moderate
CVE-2021-39234
was published
for
org.apache.ozone:ozone-main
(Maven)
Nov 23, 2021
Apache Ozone user impersonation due to non-validation of Ozone S3 tokens
High
CVE-2021-39236
was published
for
org.apache.hadoop:hadoop-ozone-ozone-manager
(Maven)
Nov 23, 2021
Incorrect Authorization in Apache Ozone
High
CVE-2021-39232
was published
for
org.apache.ozone:ozone-main
(Maven)
Nov 23, 2021
Incorrect Authorization in Apache Ozone
Critical
CVE-2021-39233
was published
for
org.apache.ozone:ozone-main
(Maven)
Nov 23, 2021
EC-CUBE Improper access control in Management screen
Moderate
CVE-2021-20841
was published
for
ec-cube/ec-cube
(Composer)
Nov 25, 2021
bookstack is vulnerable to Improper Access Control
Moderate
CVE-2021-4026
was published
for
ssddanbrown/bookstack
(Composer)
Dec 1, 2021
kimai2 is vulnerable to Improper Access Control
Moderate
CVE-2021-3992
was published
for
kevinpapst/kimai2
(Composer)
Dec 3, 2021
Permissions not properly checked in Invenio-Drafts-Resources
Moderate
CVE-2021-43781
was published
for
invenio-app-rdm
(pip)
Dec 6, 2021
Improper Authorization in Keycloak
High
CVE-2021-4133
was published
for
org.keycloak:keycloak-services
(Maven)
Jan 6, 2022
Incorrect Authorization in latte/latte
Critical
CVE-2021-23803
was published
for
latte/latte
(Composer)
Jan 6, 2022
bookstack is vulnerable to Improper Access Control
Moderate
CVE-2021-4194
was published
for
ssddanbrown/bookstack
(Composer)
Jan 8, 2022
ProTip!
Advisories are also available from the
GraphQL API