Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,023
Erlang
29
GitHub Actions
16
Go
1,830
Maven
5,000+
npm
3,573
NuGet
632
pip
3,156
Pub
10
RubyGems
847
Rust
796
Swift
34
Unreviewed advisories
All unreviewed
5,000+

1,411 advisories

Loading
libxmljs2 type confusion vulnerability when parsing specially crafted XML High
CVE-2024-34393 was published for libxmljs2 (npm) May 2, 2024
s3-url-parser vulnerable to Denial of Service via regexes component High
CVE-2024-25355 was published for s3-url-parser (npm) May 1, 2024
Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation High
CVE-2023-36821 was published for uptime-kuma (npm) May 1, 2024
n-thumann
Flowise vulnerable to code injection via api/v1 High
CVE-2024-31621 was published for flowise (npm) Apr 29, 2024
Conform contains a Prototype Pollution Vulnerability in `parseWith...` function High
CVE-2024-32866 was published for @conform-to/dom (npm) Apr 23, 2024
key-moon vtsvetkov-splunk
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE High
CVE-2024-34347 was published for @hoppscotch/cli (npm) Apr 22, 2024
oskar-zeinomahmalat-sonarsource mufeedvh
@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed High
CVE-2024-32652 was published for @hono/node-server (npm) Apr 19, 2024
@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability High
CVE-2024-30564 was published for @andrei-tatar/nora-firebase-common (npm) Apr 18, 2024
Handling untrusted input can result in a crash, leading to loss of availability / denial of service High
CVE-2024-30253 was published for @solana/web3.js (npm) Apr 17, 2024
FixedLocally steveluscher
AWS Amplify CLI has incorrect trust policy management High
CVE-2024-28056 was published for @aws-amplify/cli (npm) Apr 15, 2024
@fastify/secure-session: Reuse of destroyed secure session cookie High
CVE-2024-31999 was published for @fastify/secure-session (npm) Apr 10, 2024
AdamKorcz mcollina
arthurscchan
SheetJS Regular Expression Denial of Service (ReDoS) High
CVE-2024-22363 was published for xlsx (npm) Apr 5, 2024
dectalk-tts Uses Unencrypted HTTP Request High
CVE-2024-31206 was published for dectalk-tts (npm) Apr 4, 2024
AverageHelper JstnMcBrd
In Astro-Shield, setting a correct `integrity` attribute to injected code allows to bypass the allow-lists High
CVE-2024-30250 was published for @kindspells/astro-shield (npm) Apr 1, 2024
castarco
@electron/packager's build process memory potentially leaked into final executable High
CVE-2024-29900 was published for @electron/packager (npm) Mar 29, 2024
Content-Security-Policy header generation in middleware could be compromised by malicious injections High
CVE-2024-29896 was published for @kindspells/astro-shield (npm) Mar 29, 2024
castarco
web3-utils Prototype Pollution vulnerability High
CVE-2024-21505 was published for web3-utils (npm) Mar 27, 2024
OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation High
CVE-2024-29194 was published for @oneuptime/common-server (npm) Mar 25, 2024
saunders-jake
Duplicate Advisory: web3-utils Prototype Pollution vulnerability High
GHSA-87qp-7cw8-8q9c was published for web3-utils (npm) Mar 25, 2024 withdrawn
Path traversal in webpack-dev-middleware High
CVE-2024-29180 was published for webpack-dev-middleware (npm) Mar 21, 2024
palirichtarik
TurboBoost Commands vulnerable to arbitrary method invocation High
CVE-2024-28181 was published for @turbo-boost/commands (RubyGems) Mar 15, 2024
StimulusReflex arbitrary method call High
CVE-2024-28121 was published for stimulus_reflex (RubyGems) Mar 12, 2024
FelixMartel marcoroth
electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only) High
CVE-2024-27303 was published for app-builder-lib (npm) Mar 4, 2024
bruno-1337
Directus has MySQL accent insensitive email matching High
CVE-2024-27295 was published for directus (npm) Mar 1, 2024
c53julian
`@backstage/backend-common` vulnerable to path traversal through symlinks High
CVE-2024-26150 was published for @backstage/backend-common (npm) Feb 23, 2024
ProTip! Advisories are also available from the GraphQL API