GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,978
Erlang
29
GitHub Actions
16
Go
1,768
Maven
4,991
npm
3,537
NuGet
616
pip
3,107
Pub
10
RubyGems
837
Rust
786
Swift
34
Unreviewed advisories
All unreviewed
5,000+
4,991 advisories
Filter by severity
Apache Wicket: Remote code execution via XSLT injection
High
CVE-2024-36522
was published
for
org.apache.wicket:wicket-core
(Maven)
Jul 12, 2024
Apache Tomcat Improper Input Validation vulnerability
High
CVE-2023-46589
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
Nov 28, 2023
Apache NiFi vulnerable to Cross-site Scripting
Moderate
CVE-2024-37389
was published
for
org.apache.nifi:nifi-web-ui
(Maven)
Jul 8, 2024
PartialBufferOutputStream2 flush issues
Moderate
CVE-2008-7227
was published
for
org.geoserver.web:gs-web-app
(Maven)
May 17, 2022
•
withdrawn
Incorrect Default Permissions in Apache Tomcat
High
CVE-2020-8022
was published
for
org.apache.tomcat:tomcat
(Maven)
Feb 9, 2022
•
withdrawn
OpenSearch Observability does not properly restrict access to private tenant resources
Moderate
CVE-2024-39901
was published
for
org.opensearch.plugin:opensearch-observability
(Maven)
Jul 10, 2024
Silverpeas Core Cross-site Scripting vulnerability
Moderate
CVE-2024-39031
was published
for
org.silverpeas.core:silverpeas-core-rs
(Maven)
Jul 9, 2024
XWiki Platform: Remote code execution as guest via DatabaseSearch
Critical
CVE-2024-31982
was published
for
org.xwiki.platform:xwiki-platform-search-ui
(Maven)
Apr 10, 2024
Remote Code Execution (RCE) vulnerability in geoserver
Critical
CVE-2024-36401
was published
for
org.geoserver.web:gs-web-app
(Maven)
Jul 1, 2024
Spring Cloud Function Framework vulnerable to Denial of Service
High
CVE-2024-22271
was published
for
org.springframework.cloud:spring-cloud-function-context
(Maven)
Jul 9, 2024
Undertow Missing Release of Memory after Effective Lifetime vulnerability
Moderate
CVE-2024-3653
was published
for
io.undertow:undertow-core
(Maven)
Jul 9, 2024
Undertow Denial of Service vulnerability
High
CVE-2024-5971
was published
for
io.undertow:undertow-core
(Maven)
Jul 8, 2024
Spring Boot Actuator denial of service vulnerability
Moderate
CVE-2023-34055
was published
for
org.springframework.boot:spring-boot-actuator
(Maven)
Nov 28, 2023
Spring Boot Security Bypass with Wildcard Pattern Matching on Cloud Foundry
Critical
CVE-2023-20873
was published
for
org.springframework.boot:spring-boot-actuator-autoconfigure
(Maven)
Apr 20, 2023
Silverpeas authentication bypass
Critical
CVE-2024-36042
was published
for
org.silverpeas.core:silverpeas-core
(Maven)
Jun 3, 2024
Keycloak path transversal vulnerability in redirection validation
High
CVE-2024-1132
was published
for
org.keycloak:keycloak-services
(Maven)
Apr 17, 2024
MS Basic Cross-site Scripting vulnerability
Moderate
CVE-2024-33748
was published
for
net.mingsoft:ms-basic
(Maven)
May 7, 2024
Neo4j Cypher component mishandles IMMUTABLE privileges
Critical
CVE-2024-34517
was published
for
org.neo4j:neo4j-cypher
(Maven)
May 7, 2024
Apache Tomcat - Denial of Service
High
CVE-2024-34750
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
Jul 3, 2024
Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode
Moderate
CVE-2024-27309
was published
for
org.apache.kafka:kafka-metadata
(Maven)
Apr 12, 2024
Sandbox bypass in Script Security Plugin
Critical
CVE-2019-1003029
was published
for
org.jenkins-ci.plugins:script-security
(Maven)
May 13, 2022
STRIMZI incorrect access control
High
CVE-2024-36543
was published
for
io.strimzi:strimzi
(Maven)
Jun 17, 2024
XML External Entity Reference in drools
Critical
CVE-2021-41411
was published
for
org.drools:drools-core
(Maven)
Jun 17, 2022
Authorization bypass in Spring Security
Critical
CVE-2022-22978
was published
for
org.springframework.security:spring-security-core
(Maven)
May 20, 2022
jackson-databind mishandles the interaction between serialization gadgets and typing
High
CVE-2020-10672
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Apr 23, 2020
ProTip!
Advisories are also available from the
GraphQL API