GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,077
Erlang
29
GitHub Actions
19
Go
1,903
Maven
5,000+
npm
3,632
NuGet
638
pip
3,249
Pub
10
RubyGems
864
Rust
818
Swift
35
Unreviewed advisories
All unreviewed
5,000+
38 advisories
Filter by severity
SMTP Injection in PHPMailer
Low
CVE-2015-8476
was published
for
phpmailer/phpmailer
(Composer)
Mar 5, 2020
CHECK-fail in LSTM with zero-length input in TensorFlow
Low
CVE-2020-26270
was published
for
tensorflow
(pip)
Dec 10, 2020
VVE-2021-0002: Incorrect `returndatasize` when using simple forwarder proxies deployed prior to EIP-1167 adoption
Low
GHSA-375m-5fvv-xq23
was published
for
vyper
(pip)
Apr 19, 2021
personnummer/dart vulnerable to Improper Input Validation
Low
CVE-2023-22963
was published
for
personnummer
(Pub)
Sep 19, 2022
Improper Input Validation in Jenkins
Low
CVE-2017-1000401
was published
for
org.jenkins-ci.main:jenkins-core
(Maven)
May 14, 2022
Jetty invalid URI parsing may produce invalid HttpURI.authority
Low
CVE-2022-2047
was published
for
org.eclipse.jetty:jetty-http
(Maven)
Jul 7, 2022
Environment Variable Injection in GitHub Actions
Low
CVE-2020-15228
was published
for
@actions/core
(npm)
Oct 1, 2020
Data Amplification in Play Framework
Low
CVE-2020-28923
was published
for
com.typesafe.play:play
(Maven)
Feb 9, 2022
Incomplete validation in `SparseReshape`
Low
CVE-2021-29611
was published
for
tensorflow
(pip)
May 21, 2021
Crash due to malformed relay protocol message
Low
CVE-2021-21404
was published
for
github.com/syncthing/syncthing
(Go)
May 21, 2021
Improper Input Validation in Firefly III
Low
CVE-2019-14671
was published
for
grumpydictator/firefly-iii
(Composer)
Sep 8, 2021
Phusion Passenger allows remote attackers to spoof headers
Low
CVE-2015-7519
was published
for
passenger
(RubyGems)
Oct 10, 2018
Incorrect parsing of nameless cookies leads to __Host- cookies bypass
Low
CVE-2023-23934
was published
for
Werkzeug
(pip)
Feb 15, 2023
Aliases are never checked in helm
Low
CVE-2020-15184
was published
for
helm.sh/helm
(Go)
May 24, 2021
Repository index file allows for duplicates of the same chart entry in helm
Low
CVE-2020-15185
was published
for
helm.sh/helm
(Go)
May 24, 2021
Panic due to malformed WALs in go.etcd.io/etcd
Low
CVE-2020-15106
was published
for
go.etcd.io/etcd
(Go)
Feb 7, 2023
Improper Sanitizing of plugin names in helm
Low
CVE-2020-15186
was published
for
helm.sh/helm
(Go)
May 24, 2021
Silverstripe Framework: Members with no password can be created and bypass custom login forms
Low
CVE-2023-32302
was published
for
silverstripe/framework
(Composer)
Jul 31, 2023
Jenkins Resource Disposer Plugin allows attacker to stop tracking specified resource
Low
CVE-2018-1999037
was published
for
org.jenkins-ci.plugins:resource-disposer
(Maven)
May 14, 2022
OpenStack Nova Scheduler denial of service through scheduler_hints
Low
CVE-2012-3371
was published
for
Nova
(pip)
May 17, 2022
Concrete CMS vulnerable to stored XSS via the Role Name field
Low
CVE-2024-1247
was published
for
concrete5/concrete5
(Composer)
Feb 9, 2024
Concrete CMS vulnerable to stored XSS in file tags and description attributes
Low
CVE-2024-1245
was published
for
concrete5/concrete5
(Composer)
Feb 9, 2024
Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature
Low
CVE-2024-1246
was published
for
concrete5/concrete5
(Composer)
Feb 9, 2024
Concrete CMS Stored XSS on the calendar color settings screen
Low
CVE-2024-2753
was published
for
concrete5/concrete5
(Composer)
Apr 3, 2024
ProTip!
Advisories are also available from the
GraphQL API