Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,023
Erlang
29
GitHub Actions
16
Go
1,830
Maven
5,000+
npm
3,573
NuGet
632
pip
3,156
Pub
10
RubyGems
847
Rust
796
Swift
34
Unreviewed advisories
All unreviewed
5,000+

958 advisories

Loading
rejetto HFS vulnerable to OS Command Execution by remote authenticated users Critical
CVE-2024-39943 was published for hfs (npm) Jul 5, 2024
NextChat has full-read SSRF and XSS vulnerability in /api/cors endpoint Critical
CVE-2023-49785 was published for nextchat (npm) Aug 5, 2024
nvn1729
@thi.ng/paths Prototype Pollution vulnerability Critical
CVE-2024-29650 was published for @thi.ng/paths (npm) Mar 25, 2024
obx Prototype Pollution Critical
CVE-2024-36573 was published for @almela/obx (npm) Jun 17, 2024
lunary-ai/lunary allows users unauthorized access to projects Critical
CVE-2024-4146 was published for lunary (npm) Jun 8, 2024
Jan path traversal vulnerability Critical
CVE-2024-36858 was published for @janhq/core (npm) Jun 4, 2024
Van-QA
jsonic was discovered to contain a prototype pollution via the function empty. Critical
CVE-2024-38993 was published for jsonic (npm) Jul 1, 2024 withdrawn
wzrdtales
Prototype pollution in ag-grid-community via the _.mergeDeep function Critical
CVE-2024-38996 was published for ag-grid-community (npm) Jul 1, 2024
kiril-matev
Blackprint @blackprint/engine Prototype Pollution issue Critical
CVE-2024-24294 was published for @blackprint/engine (npm) May 20, 2024
xml-crypto vulnerable to XML signature verification bypass due improper verification of signature/signature spoofing Critical
CVE-2024-32962 was published for xml-crypto (npm) May 1, 2024
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability Critical
CVE-2024-39309 was published for parse-server (npm) Jul 1, 2024
mtrezza
protobufjs Prototype Pollution vulnerability Critical
CVE-2023-36665 was published for protobufjs (npm) Jul 5, 2023
fhoeben stephengroat
Prototype Pollution in minimist Critical
CVE-2021-44906 was published for minimist (npm) Mar 18, 2022
alopix ljharb
Jan path traversal vulnerability Critical
CVE-2024-37273 was published for @janhq/core (npm) Jun 4, 2024
Withdrawn Advisory: OS Command Injection in effect Critical
CVE-2020-7624 was published for effect (npm) Feb 10, 2022 withdrawn
Fidget-Grep
Withdrawn: Code execution via SVG file upload in tiddlywiki Critical
CVE-2022-29351 was published for tiddlywiki (npm) May 17, 2022 withdrawn
@valtimo/components exposes access token to form.io Critical
CVE-2024-34706 was published for @valtimo/components (npm) May 13, 2024
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability Critical
CVE-2024-32964 was published for @lobehub/chat (npm) May 10, 2024
yyzsec
Server-Side Template Injection in formio Critical
CVE-2020-28246 was published for formio (npm) Jun 3, 2022
MailDev Remote Code Execution Critical
CVE-2024-27448 was published for maildev (npm) Apr 5, 2024
stypr
Formidable arbitrary file upload Critical
CVE-2022-29622 was published for formidable (npm) May 17, 2022 withdrawn
Prototype Pollution in immer Critical
CVE-2021-23436 was published for immer (npm) Sep 2, 2021
levpachmanov
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ZMarkdown Critical
GHSA-2c83-wfv3-q25f was published for rebber (npm) Sep 7, 2021
gustavi
MySQL2 for Node Arbitrary Code Injection Critical
CVE-2024-21511 was published for mysql2 (npm) Apr 23, 2024
Joplin Vulnerable to Code Injection Critical
CVE-2022-23340 was published for joplin (npm) Feb 9, 2022
ProTip! Advisories are also available from the GraphQL API