Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,133
Erlang
29
GitHub Actions
19
Go
1,940
Maven
5,000+
npm
3,677
NuGet
645
pip
3,295
Pub
11
RubyGems
877
Rust
830
Swift
35
Unreviewed advisories
All unreviewed
5,000+

975 advisories

Loading
libp2p DoS vulnerability from lack of resource management High
CVE-2022-23487 was published for libp2p (npm) Dec 7, 2022
muhammara and hummus vulnerable to Unchecked Return Value to NULL Pointer Dereference High
CVE-2022-41957 was published for hummus (npm) Dec 5, 2022
Read the Docs vulnerable to Cross-Site Scripting (XSS) Moderate
GHSA-98pf-gfh3-x3mp was published for readthedocs (npm) Nov 10, 2022
stsewd
Redwood is vulnerable to account takeover via dbAuth "forgot-password" High
GHSA-3qmc-2r76-4rqp was published for @redwoodjs/api (npm) Nov 10, 2022
Markdownify has Files or Directories Accessible to External Parties Moderate
CVE-2022-41710 was published for electron-markdownify (npm) Nov 4, 2022
Unchecked Return Value to NULL Pointer Dereference in PDFDocumentHandler.cpp High
CVE-2022-39381 was published for hummus (npm) Nov 2, 2022
kilsen through-a-haze
muhammara and hummus vulnerable to denial of service by NULL pointer dereference High
CVE-2022-25892 was published for hummus (npm) Nov 1, 2022
Insufficient validation when decoding a Socket.IO packet Critical
CVE-2022-2421 was published for socket.io-parser (npm) Oct 26, 2022
darrachequesne kurt-r2c
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details Moderate
CVE-2022-39350 was published for @dependencytrack/frontend (npm) Oct 25, 2022
Waterstraal
Markdownify subject to Remote Code Execution via malicious markdown file High
CVE-2022-41709 was published for electron-markdownify (npm) Oct 19, 2022
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable High
CVE-2022-37603 was published for loader-utils (npm) Oct 14, 2022
jeran-urban
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) High
CVE-2022-37599 was published for loader-utils (npm) Oct 12, 2022
jeran-urban G-Rath
fastify vulnerable to denial of service via malicious Content-Type High
CVE-2022-39288 was published for fastify (npm) Oct 11, 2022
B-i-t-K
tiny-csrf has openly visible CSRF tokens High
CVE-2022-39287 was published for tiny-csrf (npm) Oct 7, 2022
Joplin Remote Code Execution High
CVE-2022-40277 was published for joplin (npm) Oct 1, 2022
matrix-js-sdk subject to user impersonation due to key/device identifier confusion in SAS verification High
CVE-2022-39250 was published for matrix-js-sdk (npm) Sep 30, 2022
matrix-js-sdk subject to user spoofing via Olm/Megolm protocol confusion High
CVE-2022-39251 was published for matrix-js-sdk (npm) Sep 30, 2022
matrix-js-sdk subject to impersonated messages due to permissive key forwarding High
CVE-2022-39249 was published for matrix-js-sdk (npm) Sep 30, 2022
@netlify/ipx vulnerable to Full Response SSRF and Stored XSS via Cache Poisoning and Improper Host Validation Moderate
CVE-2022-39239 was published for @netlify/ipx (npm) Sep 21, 2022
oauth2-server through 3.1.1 vulnerable to Open Redirect High
CVE-2020-26938 was published for oauth2-server (npm) Aug 30, 2022
Mongoose Vulnerable to Prototype Pollution in Schema Object Critical
CVE-2022-24304 was published for mongoose (npm) Aug 27, 2022
apollo-server-core vulnerable to URL-based XSS attack affecting IE11 on default landing page Moderate
GHSA-2fvv-qxrq-7jq6 was published for apollo-server-core (npm) Aug 18, 2022
adenkiewicz
conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2 Critical
CVE-2020-28441 was published for conf-cfg-ini (npm) Jul 26, 2022
ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse` Critical
CVE-2020-28462 was published for ion-parser (npm) Jul 26, 2022
js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse` Critical
CVE-2020-28461 was published for js-ini (npm) Jul 26, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database