Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,963
Erlang
39
GitHub Actions
38
Go
2,614
Maven
5,000+
npm
4,254
NuGet
760
pip
4,031
Pub
12
RubyGems
953
Rust
1,049
Swift
45
Unreviewed advisories
All unreviewed
5,000+

38 advisories

Loading
j178/prek-action vulnerable to arbitrary code injection in composite action Critical
GHSA-pwf7-47c3-mfhx was published for j178/prek-action (GitHub Actions) Sep 29, 2025
mondeja
Credited to mondeja
Argument injection vulnerability in SonarQube Scan Action High
CVE-2025-59844 was published for SonarSource/sonarqube-scan-action (GitHub Actions) Sep 26, 2025
PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps Low
GHSA-vxmw-7h4f-hqxh was published for pypa/gh-action-pypi-publish (GitHub Actions) Sep 4, 2025
woodruffw
Credited to woodruffw
Command Injection via sonarqube-scan-action GitHub Action High
CVE-2025-58178 was published for SonarSource/sonarqube-scan-action (GitHub Actions) Sep 2, 2025
Torbjorn-Svensson
Credited to Torbjorn-Svensson
lychee link checking action affected by arbitrary code injection in composite action Moderate
CVE-2024-48908 was published for lycheeverse/lychee-action (GitHub Actions) Aug 28, 2025
mondeja
Credited to mondeja
m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials Critical
GHSA-x6gv-2rvh-qmp6 was published for BoldestDungeon/steam-workshop-deploy (GitHub Actions) Aug 13, 2025
Gamebuster19901
Credited to Gamebuster19901
tj-actions/branch-names has a Command Injection Vulnerability Critical
CVE-2025-54416 was published for tj-actions/branch-names (GitHub Actions) Jul 25, 2025
tutasla
Credited to tutasla
RageAgainstThePixel/setup-steamcmd leaked authentication token in job output logs High
GHSA-c5qx-p38x-qf5w was published for RageAgainstThePixel/setup-steamcmd (GitHub Actions) Jul 21, 2025
BrknRobot
Credited to BrknRobot
buildalon/setup-steamcmd leaked authentication token in job output logs High
GHSA-mj96-mh85-r574 was published for buildalon/setup-steamcmd (GitHub Actions) Jul 21, 2025
BrknRobot
Credited to BrknRobot
Cromwell GitHub Actions Secrets exfiltration via `Issue_comment` Critical
GHSA-phf6-hm3h-x8qp was published for broadinstitute/cromwell (GitHub Actions) May 28, 2025
darryk10 loresuso
AlbertoPellitteri
Credited to darryk10, loresuso, and AlbertoPellitteri
Bullfrog's DNS over TCP bypasses domain filtering Moderate
CVE-2025-47775 was published for bullfrogsec/bullfrog (GitHub Actions) May 15, 2025
vin01
Credited to vin01
OZI-Project/ozi-publish Code Injection vulnerability Moderate
CVE-2025-47271 was published for OZI-Project/publish (GitHub Actions) May 12, 2025
Harden-Runner allows evasion of 'disable-sudo' policy Moderate
CVE-2025-32955 was published for step-security/harden-runner (GitHub Actions) Apr 22, 2025
loresuso darryk10
Credited to loresuso and darryk10
canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output High
CVE-2025-31479 was published for canonical/get-workflow-version-action (GitHub Actions) Apr 2, 2025
dannystaple
Credited to dannystaple
Multiple Reviewdog actions were compromised during a specific time period High
CVE-2025-30154 was published for reviewdog/action-setup (GitHub Actions) Mar 19, 2025
sshayb ramimac
Credited to sshayb and ramimac
tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs. High
CVE-2025-30066 was published for tj-actions/changed-files (GitHub Actions) Mar 15, 2025
varunsh-coder
Credited to varunsh-coder
GitHub PAT written to debug artifacts High
CVE-2025-24362 was published for github/codeql-action (GitHub Actions) Jan 24, 2025
jstawinski
Credited to jstawinski
Artifact poisoning vulnerability in action-download-artifact v5 and earlier High
GHSA-5xr6-xhww-33m4 was published for dawidd6/action-download-artifact (GitHub Actions) Nov 25, 2024
woodruffw
Credited to woodruffw
Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts` Low
CVE-2024-52587 was published for step-security/harden-runner (GitHub Actions) Nov 18, 2024
woodruffw
Credited to woodruffw
@actions/download-artifact has an Arbitrary File Write via artifact extraction High
GHSA-cxww-7g56-2vh6 was published for actions/download-artifact (GitHub Actions) Sep 3, 2024
holmanb
Credited to holmanb
GitHub Actions Script Injection in `ultralytics/actions` High
GHSA-7x29-qqmq-v6qc was published for ultralytics/actions (GitHub Actions) Aug 14, 2024
AdnaneKhan
Credited to AdnaneKhan
fish-shop/syntax-check Improper Neutralization of Delimiters Moderate
CVE-2024-42482 was published for fish-shop/syntax-check (GitHub Actions) Aug 12, 2024
marcransome
Credited to marcransome
github-slug-action use of `set-env` Runner commands which are processed via stdout Moderate
GHSA-7f32-hm4h-w77q was published for rlespinasse/github-slug-action (GitHub Actions) Feb 3, 2024
hsblhsn rlespinasse
Credited to hsblhsn and rlespinasse
Potential Actions command injection in output filenames (GHSL-2023-275) High
CVE-2023-52137 was published for tj-actions/verify-changed-files (GitHub Actions) Jan 2, 2024
jorgectf jsoref
Credited to jorgectf and jsoref
tj-actions/changed-files has Potential Actions command injection in output filenames (GHSL-2023-271) High
CVE-2023-51664 was published for tj-actions/changed-files (GitHub Actions) Jan 2, 2024
jorgectf jsoref
Credited to jorgectf and jsoref
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database