Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,023
Erlang
29
GitHub Actions
16
Go
1,830
Maven
5,000+
npm
3,573
NuGet
632
pip
3,156
Pub
10
RubyGems
847
Rust
796
Swift
34
Unreviewed advisories
All unreviewed
5,000+

19,726 advisories

Loading
Kubean vulnerable to cluster-level privilege escalation Moderate
CVE-2024-41820 was published for github.com/kubean-io/kubean (Go) Aug 5, 2024
younaman
snapd failed to properly check the destination of symbolic links when extracting a snap Moderate
CVE-2024-29069 was published for github.com/snapcore/snapd (Go) Jul 25, 2024
snapd failed to properly check the file type when extracting a snap Moderate
CVE-2024-29068 was published for github.com/snapcore/snapd (Go) Jul 25, 2024
snapd failed to restrict writes to the $HOME/bin path Moderate
CVE-2024-1724 was published for github.com/snapcore/snapd (Go) Jul 25, 2024
Volcano has insecure permissions Critical
CVE-2024-36533 was published for github.com/volcano-sh/volcano (Go) Jul 24, 2024
fabedge has insecure permissions High
CVE-2024-36536 was published for github.com/fabedge/fabedge (Go) Jul 24, 2024
The Argo CD web terminal session does not handle the revocation of user permissions properly Moderate
CVE-2024-41666 was published for github.com/argoproj/argo-cd/v2 (Go) Jul 24, 2024
ClownandBox crenshaw-dev
pasha-codefresh
Woodpecker's custom workspace allow to overwrite plugin entrypoint executable High
CVE-2024-41121 was published for go.woodpecker-ci.org/woodpecker (Go) Jul 19, 2024
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint High
CVE-2024-40634 was published for github.com/argoproj/argo-cd (Go) Jul 22, 2024
jake-ciolek crenshaw-dev
pasha-codefresh
Gorush uses deprecated TLS versions Moderate
CVE-2024-41270 was published for github.com/appleboy/gorush (Go) Aug 6, 2024
NetBird uses a static initialization vector (IV) High
CVE-2024-41260 was published for github.com/netbirdio/netbird (Go) Aug 1, 2024
pREST vulnerable to jwt bypass + sql injection Critical
GHSA-wm25-j4gw-6vr3 was published for github.com/prest/prest (Go) Jul 30, 2024
mihail8531
Woodpecker's custom environment variables allow to alter execution flow of plugins High
CVE-2024-41122 was published for go.woodpecker-ci.org/woodpecker (Go) Jul 19, 2024
Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm High
GHSA-6vjm-54vp-mxhx was published for github.com/juju/juju (Go) Aug 5, 2024
phvalguima manadart
SimonRichardson hpidcock lucistanescu eslerm
Keycloak secondary factor bypass in step-up authentication Moderate
CVE-2023-3597 was published for org.keycloak:keycloak-services (Maven) Apr 17, 2024
sschu jbman
electron-updater Code Signing Bypass on Windows High
CVE-2024-39698 was published for electron-updater (npm) Jul 9, 2024
mmaietta thomas-chauchefoin-bentley-systems
eb-bsi
Qwik has a potential mXSS vulnerability due to improper HTML escaping Moderate
CVE-2024-41677 was published for @builder.io/qwik (npm) Aug 6, 2024
arkark
Roundup Cross-site Scripting Vulnerability Moderate
CVE-2024-39126 was published for roundup (pip) Jul 17, 2024
gix-path can use a fake program files location Moderate
CVE-2024-40644 was published for gix-path (Rust) Jul 18, 2024
EliahKagan
Roundup Cross-site Scripting Vulnerability Moderate
CVE-2024-39125 was published for roundup (pip) Jul 17, 2024
Kubernetes sets incorrect permissions on Windows containers logs Moderate
CVE-2024-5321 was published for k8s.io/kubernetes (Go) Jul 18, 2024
vodozemac's usage of non-constant time base64 decoder could lead to leakage of secret key material Low
CVE-2024-40640 was published for vodozemac (Rust) Jul 17, 2024
The OpenSearch reporting plugin improperly controls tenancy access to reporting resources Moderate
CVE-2024-39900 was published for org.opensearch.plugin:opensearch-reports-scheduler (Maven) Jul 18, 2024
OpenSearch Observability does not properly restrict access to private tenant resources Moderate
CVE-2024-39901 was published for org.opensearch.plugin:opensearch-observability (Maven) Jul 10, 2024
Apache StreamPipes has potential remote code execution (RCE) via file upload High
CVE-2024-31411 was published for org.apache.streampipes:streampipes-parent (Maven) Jul 17, 2024
ProTip! Advisories are also available from the GraphQL API