GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,023
Erlang
29
GitHub Actions
16
Go
1,830
Maven
5,000+
npm
3,573
NuGet
632
pip
3,156
Pub
10
RubyGems
847
Rust
796
Swift
34
Unreviewed advisories
All unreviewed
5,000+
188 advisories
Filter by severity
OS Command Injection in gogs
Critical
CVE-2021-32546
was published
for
gogs.io/gogs
(Go)
Jun 2, 2022
HashiCorp go-getter command injection
Critical
CVE-2022-26945
was published
for
github.com/hashicorp/go-getter
(Go)
May 26, 2022
gitjacker arbitrary code execution
Critical
CVE-2021-29417
was published
for
github.com/liamg/gitjacker
(Go)
May 24, 2022
Token leases could outlive their TTL in HashiCorp Vault
Critical
CVE-2020-25816
was published
for
github.com/hashicorp/vault
(Go)
May 24, 2022
Server-Side Request Forgery in charm
Critical
CVE-2022-29180
was published
for
github.com/charmbracelet/charm
(Go)
May 24, 2022
Argo CD will blindly trust JWT claims if anonymous access is enabled
Critical
CVE-2022-29165
was published
for
github.com/argoproj/argo-cd
(Go)
May 24, 2022
Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection
Critical
CVE-2021-43350
was published
for
github.com/apache/trafficcontrol
(Go)
May 24, 2022
DevSpace vulnerable to remote code execution
Critical
CVE-2020-15391
was published
for
github.com/loft-sh/devspace
(Go)
May 24, 2022
Hashicorp Nomad Access Control Issues
Critical
CVE-2019-12618
was published
for
github.com/hashicorp/nomad
(Go)
May 24, 2022
Rancher Recreates Default User With Known Password Despite Deletion
Critical
CVE-2019-11202
was published
for
github.com/rancher/rancher
(Go)
May 24, 2022
Moby Docker cp broken with debian containers
Critical
CVE-2019-14271
was published
for
github.com/docker/docker
(Go)
May 24, 2022
Helm Improper Certificate Validation
Critical
CVE-2019-1010275
was published
for
helm.sh/helm
(Go)
May 24, 2022
glot-code-runner RCE
Critical
CVE-2018-15747
was published
for
github.com/prasmussen/glot-code-runner
(Go)
May 24, 2022
Gitea Allows 1FA Even for 2FA-Enrolled Accounts
Critical
CVE-2019-11576
was published
for
code.gitea.io/gitea
(Go)
May 24, 2022
EnvoyProxy Envoy Missing HTTP URL path normalization
Critical
CVE-2019-9901
was published
for
github.com/envoyproxy/envoy
(Go)
May 24, 2022
Access control bypass in beego
Critical
CVE-2022-31259
was published
for
github.com/beego/beego
(Go)
May 22, 2022
Improper kubeconfig validation allows arbitrary code execution
Critical
CVE-2022-24817
was published
for
github.com/fluxcd/flux2
(Go)
May 16, 2022
HashiCorp Terraform Amazon Web Services (AWS) uses an insecure PRNG
Critical
CVE-2018-9057
was published
for
github.com/hashicorp/terraform-provider-aws
(Go)
May 14, 2022
Improper path handling in kustomization files allows path traversal
Critical
CVE-2022-24877
was published
for
github.com/fluxcd/flux2
(Go)
May 4, 2022
Git LFS can execute a binary from the current directory on Windows
Critical
CVE-2022-24826
was published
for
github.com/git-lfs/git-lfs
(Go)
Apr 22, 2022
Command Injection Vulnerability with Mercurial in VCS
Critical
CVE-2022-21235
was published
for
github.com/Masterminds/vcs
(Go)
Apr 1, 2022
SQLinjection in falcon-plus
Critical
CVE-2022-26245
was published
for
github.com/open-falcon/falcon-plus
(Go)
Mar 28, 2022
Improper access control allows admin privilege escalation in Argo CD
Critical
CVE-2022-24768
was published
for
github.com/argoproj/argo-cd
(Go)
Mar 24, 2022
ProTip!
Advisories are also available from the
GraphQL API