Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,361
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,554
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,998 advisories

Loading
Express.js Open Redirect in malformed URLs Moderate
CVE-2024-29041 was published for express (npm) Mar 25, 2024
FDrag0n Credited to FDrag0n, jonchurch, blakeembrey, wesleytodd, ruddermann, ctcpip, and UlisesGascon jonchurch jonchurch
blakeembrey blakeembrey wesleytodd wesleytodd ruddermann ruddermann ctcpip ctcpip UlisesGascon UlisesGascon
Pinned entity creation form shows wrong data Moderate
CVE-2023-45824 was published for oro/platform (Composer) Mar 25, 2024
KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols Moderate
CVE-2024-28246 was published for katex (npm) Mar 25, 2024
7085 Credited to 7085, edemaine, and jupenur edemaine edemaine
jupenur jupenur
KaTeX's `\includegraphics` does not escape filename Moderate
CVE-2024-28245 was published for katex (npm) Mar 25, 2024
martinvks Credited to martinvks, edemaine, and jupenur edemaine edemaine
jupenur jupenur
KaTeX's maxExpand bypassed by Unicode sub/superscripts Moderate
CVE-2024-28244 was published for katex (npm) Mar 25, 2024
jupenur Credited to jupenur, ronkok, and edemaine ronkok ronkok
edemaine edemaine
KaTeX's maxExpand bypassed by `\edef` Moderate
CVE-2024-28243 was published for katex (npm) Mar 25, 2024
jupenur Credited to jupenur, edemaine, and Wenxin-Jiang edemaine edemaine
Wenxin-Jiang Wenxin-Jiang
ansys-geometry-core OS Command Injection vulnerability High
CVE-2024-29189 was published for ansys-geometry-core (pip) Mar 25, 2024
RobPasMue Credited to RobPasMue
OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation High
CVE-2024-29194 was published for @oneuptime/common-server (npm) Mar 25, 2024
saunders-jake Credited to saunders-jake
RDoc RCE vulnerability with .rdoc_options Low
CVE-2024-27281 was published for rdoc (RubyGems) Mar 25, 2024
StringIO buffer overread vulnerability Critical
CVE-2024-27280 was published for stringio (RubyGems) Mar 25, 2024
WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM High
GHSA-g4v6-69p6-q3p4 was published for PanelSwWix4.Sdk (NuGet) Mar 25, 2024
WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM High
GHSA-wq88-fq4x-h2pm was published for PanelSW.Custom.WiX (NuGet) Mar 25, 2024
phpMyFAQ Path Traversal in Attachments Low
CVE-2024-29196 was published for phpmyfaq/phpmyfaq (Composer) Mar 25, 2024
kevinnivekkevin Credited to kevinnivekkevin
@thi.ng/paths Prototype Pollution vulnerability Critical
CVE-2024-29650 was published for @thi.ng/paths (npm) Mar 25, 2024
Duplicate Advisory: web3-utils Prototype Pollution vulnerability High
GHSA-87qp-7cw8-8q9c was published for web3-utils (npm) Mar 25, 2024 withdrawn
PaddlePaddle allows arbitrary file read via paddle.vision.ops.read_file High
CVE-2024-1603 was published for paddlepaddle (pip) Mar 23, 2024
SSRF Vulnerability on assetlinks_check(act_name, well_knowns) High
CVE-2024-29190 was published for mobsfscan (pip) Mar 22, 2024
bulutenes Credited to bulutenes and aydinnyunus aydinnyunus aydinnyunus
XNIO denial of service vulnerability High
CVE-2023-5685 was published for org.jboss.xnio:xnio-api (Maven) Mar 22, 2024
grosario1 Credited to grosario1
Cross-Site Request Forgery in Anchor CMS High
CVE-2024-29499 was published for anchorcms/anchor-cms (Composer) Mar 22, 2024
Cross-Site Request Forgery in Anchor CMS Moderate
CVE-2024-29338 was published for anchorcms/anchor-cms (Composer) Mar 22, 2024
Slow String Operations via MultiPart Requests in Event-Driven Functions Moderate
CVE-2024-29186 was published for bref/bref (Composer) Mar 22, 2024
smaury Credited to smaury, mnapoli, rcambien, and GrahamCampbell mnapoli mnapoli
rcambien rcambien GrahamCampbell GrahamCampbell
Cache Poisoning Vulnerability Moderate
CVE-2024-29042 was published for translate (npm) Mar 22, 2024
PinkDraconian Credited to PinkDraconian
Denial of service while parsing a tar file due to lack of folders count validation Moderate
CVE-2024-28863 was published for node-tar (npm) Mar 22, 2024
DEMON1A Credited to DEMON1A, AlmogApiiro, and ebickle AlmogApiiro AlmogApiiro
ebickle ebickle
Gadget chain in Symfony 1 due to uncontrolled unserialized input in sfNamespacedParameterHolder Moderate
CVE-2024-28861 was published for friendsofsymfony1/symfony1 (Composer) Mar 22, 2024
darkpills Credited to darkpills
Server Side Template Injection (SSTI) via Twig escape handler High
CVE-2024-28119 was published for getgrav/grav (Composer) Mar 22, 2024
as3617 Credited to as3617 and juckchang juckchang juckchang
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database