Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,963
Erlang
39
GitHub Actions
38
Go
2,615
Maven
5,000+
npm
4,255
NuGet
760
pip
4,036
Pub
12
RubyGems
953
Rust
1,049
Swift
45
Unreviewed advisories
All unreviewed
5,000+

273 advisories

Loading
Improper Access Control in Gitea Critical
CVE-2020-28991 was published for github.com/go-gitea/gitea (Go) Apr 24, 2024
Privilege Escalation in kubevirt Critical
CVE-2020-14316 was published for kubevirt.io/kubevirt (Go) Apr 24, 2024
HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches Critical
CVE-2024-3817 was published for github.com/hashicorp/go-getter (Go) Apr 17, 2024
Evmos vulnerable to DOS and transaction fee expropiation through Authz exploit Critical
GHSA-v6rw-hhgg-wc4x was published for github.com/evmos/evmos/v11 (Go) Apr 17, 2024
Evmos transaction execution not accounting for all state transition after interaction with precompiles Critical
CVE-2024-32644 was published for github.com/evmos/evmos/v16 (Go) Apr 10, 2024
iczc
Credited to iczc
LocalAI Command Injection in audioToWav Critical
CVE-2024-2029 was published for github.com/go-skynet/LocalAI (Go) Apr 10, 2024
ibc-go: Potential Reentrancy using Timeout Callbacks in ibc-hooks Critical
GHSA-j496-crgh-34mx was published for github.com/cosmos/ibc-go (Go) Apr 5, 2024
mdulin2
Credited to mdulin2
Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss Critical
CVE-2024-21652 was published for github.com/argoproj/argo-cd/v2 (Go) Mar 18, 2024
nadava669 pasha-codefresh
jannfis crenshaw-dev todaywasawesome
Credited to nadava669, pasha-codefresh, jannfis, crenshaw-dev, and todaywasawesome
Cross-site scripting on application summary component Critical
CVE-2024-28175 was published for github.com/argoproj/argo-cd (Go) Mar 15, 2024
Ry0taK agaudreault
crenshaw-dev
Credited to Ry0taK, agaudreault, and crenshaw-dev
Pterodactyl Wings vulnerable to improper isolation of server file access Critical
CVE-2024-27102 was published for github.com/pterodactyl/wings (Go) Mar 15, 2024
KurtThiemann aft2d
matthewpi
Credited to KurtThiemann, aft2d, and matthewpi
Authorization Bypass Through User-Controlled Key in go-zero Critical
CVE-2024-27302 was published for github.com/zeromicro/go-zero (Go) Mar 4, 2024
cokeBeer
Credited to cokeBeer
Transparent TLS may not be applied to Marbles with certain manifest configurations Critical
GHSA-x5r5-2qrx-rqj8 was published for github.com/edgelesssys/marblerun (Go) Feb 27, 2024
Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials Critical
CVE-2024-25124 was published for github.com/gofiber/fiber/v2 (Go) Feb 22, 2024
gaby sixcolors
ReneWerner87
Credited to gaby, sixcolors, and ReneWerner87
BuildKit vulnerable to possible host system access from mount stub cleaner Critical
CVE-2024-23652 was published for github.com/moby/buildkit (Go) Jan 31, 2024
rmcnamara-snyk
Credited to rmcnamara-snyk
Buildkit's interactive containers API does not validate entitlements check Critical
CVE-2024-23653 was published for github.com/moby/buildkit (Go) Jan 31, 2024
rmcnamara-snyk
Credited to rmcnamara-snyk
HashiCorp Vault Improper Privilege Management Critical
CVE-2020-10661 was published for github.com/hashicorp/vault (Go) Jan 30, 2024
andrewpollock
Credited to andrewpollock
Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature Critical
CVE-2024-23827 was published for github.com/0xJacky/Nginx-UI (Go) Jan 29, 2024
Elleuch-x1 0xJacky
Credited to Elleuch-x1 and 0xJacky
Django Template Engine Vulnerable to XSS Critical
CVE-2024-22199 was published for github.com/gofiber/template/django/v3 (Go) Jan 11, 2024
bastianwegge sixcolors
gaby ReneWerner87 efectn
Credited to bastianwegge, sixcolors, gaby, ReneWerner87, and efectn
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients Critical
CVE-2023-49569 was published for github.com/go-git/go-git/v5 (Go) Jan 10, 2024
bdilalu
Credited to bdilalu
snapd Race Condition vulnerability Critical
CVE-2022-3328 was published for github.com/snapcore/snapd (Go) Jan 8, 2024
Withdrawn Advisory: Teleport Access List owners can escalate their privileges Critical
GHSA-76cc-p55w-63g3 was published for github.com/gravitational/teleport (Go) Jan 3, 2024 withdrawn
Moaz219
Credited to Moaz219
Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users Critical
GHSA-hw4x-mcx5-9q36 was published for github.com/gravitational/teleport (Go) Jan 3, 2024 withdrawn
Tener espadolini
Credited to Tener and espadolini
Improper Privilege Management in github.com/sap/cloud-security-client-go Critical
CVE-2023-50424 was published for github.com/sap/cloud-security-client-go (Go) Dec 13, 2023
Duplicate Advisory: Privilege escalation in sap/cloud-security-client-go Critical
GHSA-92cg-ghq6-9587 was published for github.com/sap/cloud-security-client-go (Go) Dec 12, 2023 withdrawn
Capsule Proxy Authentication bypass using an empty token Critical
CVE-2023-48312 was published for github.com/clastix/capsule-proxy (Go) Nov 24, 2023
luisdavim slimm609
psc4re
Credited to luisdavim, slimm609, and psc4re
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database