GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,205
Erlang
31
GitHub Actions
19
Go
1,988
Maven
5,000+
npm
3,704
NuGet
661
pip
3,332
Pub
11
RubyGems
884
Rust
845
Swift
36
Unreviewed advisories
All unreviewed
5,000+
32 advisories
Filter by severity
Duplicate Advisory: gosaml2 is vulnerable to NULL Pointer Dereference from malformed XML signatures
High
GHSA-gq5r-cc4w-g8xf
was published
for
github.com/russellhaering/gosaml2
(Go)
Jun 23, 2021
•
withdrawn
Archive package allows chmod of file outside of unpack target directory
Moderate
CVE-2021-32760
was published
for
github.com/containerd/containerd
(Go)
Jul 26, 2021
github.com/pires/go-proxyproto vulnerable to DoS via Connection descriptor exhaustion
High
CVE-2021-23409
was published
for
github.com/pires/go-proxyproto
(Go)
Jul 26, 2021
Authorization Policy Bypass Due to Case Insensitive Host Comparison
High
CVE-2021-39155
was published
for
istio.io/istio
(Go)
Aug 30, 2021
Path traversal in ServiceCenter
High
CVE-2021-21501
was published
for
github.com/apache/servicecomb-service-center
(Go)
Sep 1, 2021
HashiCorp Consul Privilege Escalation Vulnerability
High
CVE-2021-37219
was published
for
github.com/hashicorp/consul
(Go)
Sep 8, 2021
Improper Access Control in github.com/treeverse/lakefs
Moderate
GHSA-m836-gxwq-j2pm
was published
for
github.com/treeverse/lakefs
(Go)
Oct 28, 2021
Ambiguous OCI manifest parsing
Low
GHSA-5j5w-g665-5m35
was published
for
github.com/containerd/containerd
(Go)
Nov 18, 2021
Cross-site Scripting in github.com/schollz/rwtxt
Moderate
CVE-2021-20848
was published
for
github.com/schollz/rwtxt
(Go)
Nov 29, 2021
Capture-replay in Gitea
Critical
CVE-2021-45327
was published
for
github.com/go-gitea/gitea
(Go)
Feb 9, 2022
Hashicorp Nomad Information Exposure Through Environmental Variables
Moderate
CVE-2019-14802
was published
for
github.com/hashicorp/nomad
(Go)
Feb 15, 2022
Arbitrary file reads in HashiCorp Nomad
High
CVE-2022-24683
was published
for
github.com/hashicorp/nomad
(Go)
Feb 18, 2022
Uncontrolled Resource Consumption in github.com/google/fscrypt
Moderate
CVE-2022-25326
was published
for
github.com/google/fscrypt
(Go)
Feb 26, 2022
User login denial of service in github.com/google/fscrypt
Moderate
CVE-2022-25327
was published
for
github.com/google/fscrypt
(Go)
Feb 26, 2022
Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server
Moderate
CVE-2022-24904
was published
for
github.com/argoproj/argo-cd/v2
(Go)
May 23, 2022
Podman has Files or Directories Accessible to External Parties
Moderate
CVE-2020-1726
was published
for
github.com/containers/podman
(Go)
May 24, 2022
Query predicate bypass in Zalando Skipper
High
CVE-2022-34296
was published
for
github.com/zalando/skipper
(Go)
Jun 24, 2022
Argo CD SSO users vulnerable to Cross-site Scripting
Low
CVE-2022-31102
was published
for
github.com/argoproj/argo-cd
(Go)
Jul 12, 2022
aws-iam-authenticator allow-listed IAM identity may be able to modify their username, escalate privileges before v0.5.9
High
CVE-2022-2385
was published
for
sigs.k8s.io/aws-iam-authenticator
(Go)
Jul 13, 2022
Cronos vulnerable to DoS through unintended Contract Selfdestruct
High
GHSA-gwj5-wp6r-5q9f
was published
for
github.com/crypto-org-chain/cronos
(Go)
Aug 11, 2022
HashiCorp Consul vulnerable to authorization bypass
Moderate
CVE-2022-40716
was published
for
github.com/hashicorp/consul
(Go)
Sep 25, 2022
etcd user credentials are stored in WAL logs in plaintext
Low
GHSA-528j-9r78-wffx
was published
for
go.etcd.io/etcd/client/v3
(Go)
Oct 6, 2022
AdGuardHome vulnerable to Cross-Site Request Forgery
Moderate
CVE-2022-32175
was published
for
github.com/AdguardTeam/AdGuardHome
(Go)
Oct 11, 2022
Team scope authorization bypass when Post/Put request with :team_name in body, allows HTTP parameter pollution
Moderate
CVE-2022-31683
was published
for
github.com/concourse/concourse
(Go)
Oct 19, 2022
Skipper vulnerable to SSRF via X-Skipper-Proxy
Critical
CVE-2022-38580
was published
for
github.com/zalando/skipper
(Go)
Oct 25, 2022
ProTip!
Advisories are also available from the
GraphQL API