GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,237
Erlang
31
GitHub Actions
20
Go
1,998
Maven
5,000+
npm
3,710
NuGet
661
pip
3,364
Pub
11
RubyGems
885
Rust
846
Swift
36
Unreviewed advisories
All unreviewed
5,000+
62 advisories
Filter by severity
express vulnerable to XSS via response.redirect()
Low
CVE-2024-43796
was published
for
express
(npm)
Sep 10, 2024
serve-static vulnerable to template injection that can lead to XSS
Low
CVE-2024-43800
was published
for
serve-static
(npm)
Sep 10, 2024
send vulnerable to template injection that can lead to XSS
Low
CVE-2024-43799
was published
for
send
(npm)
Sep 10, 2024
Authenticated users can crash the CubeFS servers with maliciously crafted requests
High
CVE-2023-46738
was published
for
github.com/cubefs/cubefs
(Go)
Jan 3, 2024
CubeFS timing attack can leak user passwords
High
CVE-2023-46739
was published
for
github.com/cubefs/cubefs
(Go)
Jan 3, 2024
Insecure random string generator used for sensitive data
High
CVE-2023-46740
was published
for
github.com/cubefs/cubefs
(Go)
Jan 3, 2024
Incorrect delegation lookups can make go-tuf download the wrong artifact
High
CVE-2024-47534
was published
for
github.com/theupdateframework/go-tuf/v2
(Go)
Oct 1, 2024
basic-auth-connect's callback uses time unsafe string comparison
High
CVE-2024-47178
was published
for
basic-auth-connect
(npm)
Sep 30, 2024
Uncontrolled Resource Consumption in Jackson-databind
High
CVE-2022-42003
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Oct 3, 2022
body-parser vulnerable to denial of service when url encoding is enabled
High
CVE-2024-45590
was published
for
body-parser
(npm)
Sep 10, 2024
OCI image importer memory exhaustion in github.com/containerd/containerd
Moderate
CVE-2023-25153
was published
for
github.com/containerd/containerd
(Go)
Feb 16, 2023
sigstore-go has an unbounded loop over untrusted input can lead to endless data attack
Low
CVE-2024-45395
was published
for
github.com/sigstore/sigstore-go
(Go)
Sep 4, 2024
Argo CD's external URLs for Deployments can include JavaScript
Critical
CVE-2022-31035
was published
for
github.com/argoproj/argo-cd
(Go)
Jun 21, 2022
CubeFS leaks magic secret key when starting Blobstore access service
Moderate
CVE-2023-46741
was published
for
github.com/cubefs/cubefs
(Go)
Jan 3, 2024
CubeFS leaks users key in logs
Moderate
CVE-2023-46742
was published
for
github.com/cubefs/cubefs
(Go)
Jan 3, 2024
Minder affected by denial of service from maliciously configured Git repository
Moderate
CVE-2024-37904
was published
for
github.com/stacklok/minder
(Go)
Jun 18, 2024
Denial of service of Minder Server from maliciously crafted GitHub attestations
Moderate
CVE-2024-35238
was published
for
github.com/stacklok/minder
(Go)
May 28, 2024
Stacklok Minder vulnerable to denial of service from maliciously crafted templates
Moderate
CVE-2024-35194
was published
for
github.com/stacklok/minder
(Go)
May 20, 2024
vitess allows users to create keyspaces that can deny access to already existing keyspaces
Moderate
CVE-2023-29194
was published
for
vitess.io/vitess
(Go)
Apr 11, 2023
Denial of service of Minder Server with attacker-controlled REST endpoint
Moderate
CVE-2024-35185
was published
for
github.com/stacklok/minder
(Go)
May 16, 2024
@fastify/secure-session: Reuse of destroyed secure session cookie
High
CVE-2024-31999
was published
for
@fastify/secure-session
(npm)
Apr 10, 2024
Minder's GitHub Webhook Handler vulnerable to DoS from un-validated requests
High
CVE-2024-34084
was published
for
github.com/stacklok/minder
(Go)
May 7, 2024
Cosign malicious artifacts can cause machine-wide DoS
Moderate
CVE-2024-29903
was published
for
github.com/sigstore/cosign
(Go)
Apr 11, 2024
Cosign malicious attachments can cause system-wide denial of service
Moderate
CVE-2024-29902
was published
for
github.com/sigstore/cosign
(Go)
Apr 11, 2024
Uncontrolled Resource Consumption in FasterXML jackson-databind
High
CVE-2022-42004
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Oct 3, 2022
ProTip!
Advisories are also available from the
GraphQL API