GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,237
Erlang
31
GitHub Actions
20
Go
1,996
Maven
5,000+
npm
3,709
NuGet
661
pip
3,348
Pub
11
RubyGems
885
Rust
846
Swift
36
Unreviewed advisories
All unreviewed
5,000+
136 advisories
Filter by severity
gitsign may use incorrect Rekor entries during verification
Low
CVE-2024-51746
was published
for
github.com/sigstore/gitsign
(Go)
Nov 5, 2024
LocalAI Cross-site Scripting vulnerability
Low
CVE-2024-48057
was published
for
github.com/mudler/LocalAI
(Go)
Nov 5, 2024
Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations
Low
CVE-2024-51744
was published
for
github.com/golang-jwt/jwt/v4
(Go)
Nov 4, 2024
Grafana org admin can delete pending invites in different org
Low
CVE-2024-10452
was published
for
github.com/grafana/grafana
(Go)
Oct 29, 2024
Mattermost incorrectly issues two sessions when using desktop SSO
Low
CVE-2024-10214
was published
for
github.com/mattermost/mattermost/server/v8
(Go)
Oct 28, 2024
AWS Load Balancer Controller automatically detaches externally associated web ACL from Application Load Balancers
Low
GHSA-rjfv-pjvx-mjgv
was published
for
sigs.k8s.io/aws-load-balancer-controller
(Go)
Oct 24, 2024
SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not
Low
CVE-2024-48909
was published
for
github.com/authzed/spicedb
(Go)
Oct 14, 2024
Go-Landlock in best-effort mode did not restrict TCP bind and connect operations correctly
Low
GHSA-vv6c-69r6-chg9
was published
for
github.com/landlock-lsm/go-landlock
(Go)
Oct 14, 2024
Dozzle uses unsafe hash for passwords
Low
CVE-2024-47182
was published
for
github.com/amir20/dozzle
(Go)
Oct 9, 2024
OpenTofu potential leaking of secret variable values when using static evaluation in v1.8
Low
GHSA-wpr2-j6gr-pjw9
was published
for
github.com/opentofu/opentofu
(Go)
Oct 3, 2024
Path traversal vulnerability in stripe-cli
Low
CVE-2024-45401
was published
for
github.com/stripe/stripe-cli
(Go)
Sep 5, 2024
sigstore-go has an unbounded loop over untrusted input can lead to endless data attack
Low
CVE-2024-45395
was published
for
github.com/sigstore/sigstore-go
(Go)
Sep 4, 2024
CometBFT's state syncing validator from malicious node may lead to a chain split
Low
GHSA-g5xx-c4hv-9ccc
was published
for
github.com/cometbft/cometbft
(Go)
Sep 3, 2024
Trufflehog vulnerable to Blind SSRF in some Detectors
Low
CVE-2024-43379
was published
for
github.com/trufflesecurity/trufflehog/v3
(Go)
Aug 19, 2024
snapd failed to properly check the destination of symbolic links when extracting a snap
Low
CVE-2024-29069
was published
for
github.com/snapcore/snapd
(Go)
Jul 25, 2024
Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go
Low
GHSA-xr7q-jx4m-x55m
was published
for
google.golang.org/grpc
(Go)
Jul 5, 2024
HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims
Low
CVE-2024-5798
was published
for
github.com/hashicorp/vault
(Go)
Jun 12, 2024
`docker cp` allows unexpected chmod of host files in Moby Docker Engine
Low
CVE-2021-41089
was published
for
github.com/docker/docker
(Go)
Jun 10, 2024
evmos allows transferring unvested tokens after delegations
Low
CVE-2024-32873
was published
for
github.com/evmos/evmos/v10
(Go)
Jun 6, 2024
SQL Injection in Harbor scan log API
Low
CVE-2024-22261
was published
for
github.com/goharbor/harbor
(Go)
Jun 2, 2024
github.com/huandu/facebook may expose access_token in error message.
Low
CVE-2024-35232
was published
for
github.com/huandu/facebook/v2
(Go)
May 24, 2024
github.com/bincyber/go-sqlcrypter vulnerable to IV collision
Low
GHSA-2j6r-9vv4-6gf5
was published
for
github.com/bincyber/go-sqlcrypter
(Go)
May 20, 2024
Grafana Forward OAuth Identity Token can allow users to access some data sources
Low
CVE-2022-21673
was published
for
github.com/grafana/grafana
(Go)
May 14, 2024
containerd started with non-empty inheritable Linux process capabilities
Low
GHSA-c9cp-9c75-9v8c
was published
for
github.com/containerd/containerd
(Go)
May 14, 2024
NATS server TLS missing ciphersuite settings when CLI flags used
Low
CVE-2021-32026
was published
for
github.com/nats-io/nats-server/v2
(Go)
May 14, 2024
ProTip!
Advisories are also available from the
GraphQL API