Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,077
Erlang
29
GitHub Actions
19
Go
1,903
Maven
5,000+
npm
3,632
NuGet
638
pip
3,249
Pub
10
RubyGems
864
Rust
818
Swift
35
Unreviewed advisories
All unreviewed
5,000+

106 advisories

Loading
Mautic vulnerable to Improper Access Control in UI upgrade process High
CVE-2022-25768 was published for mautic/core (Composer) Sep 18, 2024
mollux escopecz
patrykgruszka
Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default High
CVE-2024-6221 was published for Flask-Cors (pip) Aug 18, 2024
adrianosela Alex-ley-scrub
icarocd
RBAC Roles for `etcd` created by Kamaji are not disjunct High
CVE-2024-42480 was published for github.com/clastix/kamaji (Go) Aug 12, 2024
SimonKienzler prometherion
Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm High
GHSA-6vjm-54vp-mxhx was published for github.com/juju/juju (Go) Aug 5, 2024
phvalguima manadart
SimonRichardson hpidcock lucistanescu eslerm
Mattermost allows unsolicited invites to expose access to local channels High
CVE-2024-39777 was published for github.com/mattermost/mattermost/server/v8 (Go) Aug 1, 2024
Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel High
CVE-2024-39274 was published for github.com/mattermost/mattermost/server/v8 (Go) Aug 1, 2024
Mattermost failed to disallow the modification of local users when syncing users in shared channels High
CVE-2024-36492 was published for github.com/mattermost/mattermost/server/v8 (Go) Aug 1, 2024
Studio 42 elFinder vulnerable to Incorrect Access Control High
CVE-2024-38909 was published for studio-42/elfinder (Composer) Jul 30, 2024
BookStack Incorrect Access Control vulnerability High
CVE-2024-36676 was published for ssddanbrown/bookstack (Composer) Jul 10, 2024
Keycloak's admin API allows low privilege users to use administrative functions High
CVE-2024-3656 was published for org.keycloak:keycloak-services (Maven) Jun 11, 2024
Authlib has algorithm confusion with asymmetric public keys High
CVE-2024-37568 was published for authlib (pip) Jun 9, 2024
karmada vulnerable to arbitrary code execution via a crafted command High
CVE-2024-33396 was published for github.com/karmada-io/karmada (Go) May 2, 2024
Rancher's Steve API Component Improper authorization check allows privilege escalation High
CVE-2021-36776 was published for github.com/rancher/rancher (Go) Apr 24, 2024
Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication High
CVE-2021-36775 was published for github.com/rancher/rancher (Go) Apr 24, 2024
Access Restriction Bypass in go-ipfs High
CVE-2020-10937 was published for github.com/ipfs/go-ipfs (Go) Apr 24, 2024
Dolibarr vulnerable to Cross-Site Request Forgery High
CVE-2024-31503 was published for dolibarr/dolibarr (Composer) Apr 17, 2024
Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated High
CVE-2024-22234 was published for org.springframework.security:spring-security-core (Maven) Feb 20, 2024
oscerd
TYPO3 vulnerable to Improper Access Control Persisting File Abstraction Layer Entities via Data Handler High
CVE-2024-25121 was published for typo3/cms-core (Composer) Feb 13, 2024
ohader
Graylog vulnerable to instantiation of arbitrary classes triggered by API request High
CVE-2024-24824 was published for org.graylog2:graylog2-server (Maven) Feb 7, 2024
fabsx00
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem High
CVE-2024-23331 was published for vite (npm) Jan 19, 2024
dariushoule
Sandbox escape in Artemis Java Test Sandbox High
CVE-2024-23681 was published for de.tum.in.ase:artemis-java-test-sandbox (Maven) Jan 19, 2024
EverShop at risk to unauthorized access via weak HMAC secret High
CVE-2023-46943 was published for @evershop/evershop (npm) Jan 13, 2024
pyload Unauthenticated Flask Configuration Leakage vulnerability High
CVE-2024-21644 was published for pyload-ng (pip) Jan 8, 2024
PinkDraconian
Wasmer filesystem sandbox not enforced High
CVE-2023-51661 was published for wasmer-cli (Rust) Dec 13, 2023
yagehu
Decidim has broken access control in templates High
CVE-2023-36465 was published for decidim (RubyGems) Oct 5, 2023
andreslucena
ProTip! Advisories are also available from the GraphQL API