GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,978
Erlang
29
GitHub Actions
16
Go
1,768
Maven
4,991
npm
3,537
NuGet
616
pip
3,107
Pub
10
RubyGems
837
Rust
786
Swift
34
Unreviewed advisories
All unreviewed
5,000+
2,956 advisories
Filter by severity
rejetto HFS vulnerable to OS Command Execution by remote authenticated users
Critical
CVE-2024-39943
was published
for
hfs
(npm)
Jul 5, 2024
Gogs allows argument injection during the previewing of changes
Critical
CVE-2024-39932
was published
for
github.com/gogs/gogs
(Go)
Jul 4, 2024
Gogs allows deletion of internal files
Critical
CVE-2024-39931
was published
for
github.com/gogs/gogs
(Go)
Jul 4, 2024
github.com/gogs/gogs affected by CVE-2024-39930
Critical
CVE-2024-39930
was published
for
github.com/gogs/gogs
(Go)
Jul 4, 2024
Gradio was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py
Critical
CVE-2024-39236
was published
for
Gradio
(pip)
Jul 1, 2024
Session Middleware Token Injection Vulnerability
Critical
CVE-2024-38513
was published
for
github.com/gofiber/fiber
(Go)
Jul 1, 2024
Remote Code Execution (RCE) vulnerability in geoserver
Critical
CVE-2024-36401
was published
for
org.geoserver.web:gs-web-app
(Maven)
Jul 1, 2024
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
Critical
CVE-2024-39309
was published
for
parse-server
(npm)
Jul 1, 2024
Prototype pollution in ag-grid-community via the _.mergeDeep function
Critical
CVE-2024-38996
was published
for
ag-grid-community
(npm)
Jul 1, 2024
jsonic was discovered to contain a prototype pollution via the function empty.
Critical
CVE-2024-38993
was published
for
jsonic
(npm)
Jul 1, 2024
•
withdrawn
litellm vulnerable to remote code execution based on using eval unsafely
Critical
CVE-2024-5751
was published
for
litellm
(pip)
Jun 27, 2024
vanna vulnerable to remote code execution caused by prompt injection
Critical
CVE-2024-5826
was published
for
vanna
(pip)
Jun 27, 2024
pytorch-lightning vulnerable to Arbitrary File Write via /v1/runs API endpoint
Critical
CVE-2024-5980
was published
for
lightning
(pip)
Jun 27, 2024
XWiki programming rights may be inherited by inclusion
Critical
CVE-2024-38369
was published
for
org.xwiki.platform:xwiki-platform-rendering-macro-include
(Maven)
Jun 24, 2024
Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
Critical
CVE-2024-29868
was published
for
org.apache.streampipes:streampipes-resource-management
(Maven)
Jun 24, 2024
Remote Code Execution via path traversal bypass in lollms
Critical
CVE-2024-5443
was published
for
lollms
(pip)
Jun 22, 2024
XWiki Platform allows remote code execution from user account
Critical
CVE-2024-37899
was published
for
org.xwiki.platform:xwiki-platform-oldcore
(Maven)
Jun 20, 2024
rke's credentials are stored in the RKE1 Cluster state ConfigMap
Critical
CVE-2023-32191
was published
for
github.com/rancher/rke
(Go)
Jun 17, 2024
DeepJavaLibrary API absolute path traversal
Critical
CVE-2024-37902
was published
for
ai.djl:api
(Maven)
Jun 17, 2024
Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability
Critical
CVE-2024-34102
was published
for
magento/community-edition
(Composer)
Jun 13, 2024
Apache Submarine Server Core Incorrect Authorization vulnerability
Critical
CVE-2024-36265
was published
for
org.apache.submarine:submarine-server-core
(Maven)
Jun 12, 2024
parisneo/lollms Local File Inclusion (LFI) attack
Critical
CVE-2024-4315
was published
for
lollms
(pip)
Jun 12, 2024
Jupyter Server Proxy has a reflected XSS issue in host parameter
Critical
CVE-2024-35225
was published
for
jupyter-server-proxy
(pip)
Jun 11, 2024
document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection
Critical
CVE-2024-37301
was published
for
document-merge-service
(pip)
Jun 11, 2024
lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management
Critical
CVE-2024-5389
was published
for
lunary
(pip)
Jun 10, 2024
ProTip!
Advisories are also available from the
GraphQL API