GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,023
Erlang
29
GitHub Actions
16
Go
1,830
Maven
5,000+
npm
3,573
NuGet
632
pip
3,156
Pub
10
RubyGems
847
Rust
796
Swift
34
Unreviewed advisories
All unreviewed
5,000+
19,726 advisories
Filter by severity
Kubean vulnerable to cluster-level privilege escalation
Moderate
CVE-2024-41820
was published
for
github.com/kubean-io/kubean
(Go)
Aug 5, 2024
snapd failed to properly check the destination of symbolic links when extracting a snap
Moderate
CVE-2024-29069
was published
for
github.com/snapcore/snapd
(Go)
Jul 25, 2024
snapd failed to properly check the file type when extracting a snap
Moderate
CVE-2024-29068
was published
for
github.com/snapcore/snapd
(Go)
Jul 25, 2024
snapd failed to restrict writes to the $HOME/bin path
Moderate
CVE-2024-1724
was published
for
github.com/snapcore/snapd
(Go)
Jul 25, 2024
Volcano has insecure permissions
Critical
CVE-2024-36533
was published
for
github.com/volcano-sh/volcano
(Go)
Jul 24, 2024
fabedge has insecure permissions
High
CVE-2024-36536
was published
for
github.com/fabedge/fabedge
(Go)
Jul 24, 2024
The Argo CD web terminal session does not handle the revocation of user permissions properly
Moderate
CVE-2024-41666
was published
for
github.com/argoproj/argo-cd/v2
(Go)
Jul 24, 2024
Woodpecker's custom workspace allow to overwrite plugin entrypoint executable
High
CVE-2024-41121
was published
for
go.woodpecker-ci.org/woodpecker
(Go)
Jul 19, 2024
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
High
CVE-2024-40634
was published
for
github.com/argoproj/argo-cd
(Go)
Jul 22, 2024
Gorush uses deprecated TLS versions
Moderate
CVE-2024-41270
was published
for
github.com/appleboy/gorush
(Go)
Aug 6, 2024
NetBird uses a static initialization vector (IV)
High
CVE-2024-41260
was published
for
github.com/netbirdio/netbird
(Go)
Aug 1, 2024
pREST vulnerable to jwt bypass + sql injection
Critical
GHSA-wm25-j4gw-6vr3
was published
for
github.com/prest/prest
(Go)
Jul 30, 2024
Woodpecker's custom environment variables allow to alter execution flow of plugins
High
CVE-2024-41122
was published
for
go.woodpecker-ci.org/woodpecker
(Go)
Jul 19, 2024
Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm
High
GHSA-6vjm-54vp-mxhx
was published
for
github.com/juju/juju
(Go)
Aug 5, 2024
Keycloak secondary factor bypass in step-up authentication
Moderate
CVE-2023-3597
was published
for
org.keycloak:keycloak-services
(Maven)
Apr 17, 2024
electron-updater Code Signing Bypass on Windows
High
CVE-2024-39698
was published
for
electron-updater
(npm)
Jul 9, 2024
Qwik has a potential mXSS vulnerability due to improper HTML escaping
Moderate
CVE-2024-41677
was published
for
@builder.io/qwik
(npm)
Aug 6, 2024
Roundup Cross-site Scripting Vulnerability
Moderate
CVE-2024-39126
was published
for
roundup
(pip)
Jul 17, 2024
gix-path can use a fake program files location
Moderate
CVE-2024-40644
was published
for
gix-path
(Rust)
Jul 18, 2024
Roundup Cross-site Scripting Vulnerability
Moderate
CVE-2024-39125
was published
for
roundup
(pip)
Jul 17, 2024
Kubernetes sets incorrect permissions on Windows containers logs
Moderate
CVE-2024-5321
was published
for
k8s.io/kubernetes
(Go)
Jul 18, 2024
vodozemac's usage of non-constant time base64 decoder could lead to leakage of secret key material
Low
CVE-2024-40640
was published
for
vodozemac
(Rust)
Jul 17, 2024
The OpenSearch reporting plugin improperly controls tenancy access to reporting resources
Moderate
CVE-2024-39900
was published
for
org.opensearch.plugin:opensearch-reports-scheduler
(Maven)
Jul 18, 2024
OpenSearch Observability does not properly restrict access to private tenant resources
Moderate
CVE-2024-39901
was published
for
org.opensearch.plugin:opensearch-observability
(Maven)
Jul 10, 2024
Apache StreamPipes has potential remote code execution (RCE) via file upload
High
CVE-2024-31411
was published
for
org.apache.streampipes:streampipes-parent
(Maven)
Jul 17, 2024
ProTip!
Advisories are also available from the
GraphQL API