Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
48
GitHub Actions
48
Go
3,391
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,614
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

28,209 advisories

Loading
Reportico affected by Incorrect Access Control Moderate
CVE-2023-48865 was published for reportico-web/reportico (Composer) Apr 12, 2024
Mautic vulnerable to stored cross-site scripting in description field High
CVE-2021-27915 was published for mautic/core (Composer) Apr 11, 2024
Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode Moderate
CVE-2024-3651 was published for idna (pip) Apr 11, 2024
guidovranken Credited to guidovranken
phin may include sensitive headers in subsequent requests after redirect Moderate
GHSA-x565-32qp-m3vf was published for phin (npm) Apr 11, 2024
Matrix IRC Bridge truncated content of messages can be leaked Moderate
CVE-2024-32000 was published for matrix-appservice-irc (npm) Apr 11, 2024
progval Credited to progval
Cosign malicious artifacts can cause machine-wide DoS Moderate
CVE-2024-29903 was published for github.com/sigstore/cosign (Go) Apr 11, 2024
AdamKorcz Credited to AdamKorcz and DavidKorczynski DavidKorczynski DavidKorczynski
Cosign malicious attachments can cause system-wide denial of service Moderate
CVE-2024-29902 was published for github.com/sigstore/cosign (Go) Apr 11, 2024
AdamKorcz Credited to AdamKorcz
Potential DoS via the Tudoor mechanism in eventlet and dnspython Moderate
CVE-2023-29483 was published for dnspython (pip) Apr 11, 2024
Code injection in Apache Zeppelin Shell Moderate
CVE-2024-31861 was published for org.apache.zeppelin:zeppelin-shell (Maven) Apr 11, 2024
raboof Credited to raboof
mysql2 Remote Code Execution (RCE) via the readCodeFor function Critical
CVE-2024-21508 was published for mysql2 (npm) Apr 11, 2024
Summernote vulnerable to cross-site scripting Moderate
CVE-2024-29504 was published for summernote (npm) Apr 11, 2024
SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used Low
CVE-2024-32001 was published for github.com/authzed/spicedb (Go) Apr 10, 2024
Evmos transaction execution not accounting for all state transition after interaction with precompiles Critical
CVE-2024-32644 was published for github.com/evmos/evmos/v16 (Go) Apr 10, 2024
iczc Credited to iczc
WWBN AVideo Remote Code Execution Critical
CVE-2024-31819 was published for wwbn/avideo (Composer) Apr 10, 2024
Transformers Deserialization of Untrusted Data vulnerability Low
CVE-2024-3568 was published for transformers (pip) Apr 10, 2024
llama-index-core Prompt Injection vulnerability leading to Arbitrary Code Execution Critical
CVE-2024-3098 was published for llama-index-core (pip) Apr 10, 2024
LiteLLM has Server-Side Template Injection vulnerability in /completions endpoint Critical
CVE-2024-2952 was published for litellm (pip) Apr 10, 2024
ishaan-jaff Credited to ishaan-jaff and r3kumar r3kumar r3kumar
Duplicate Advisory: Gradio Local File Inclusion vulnerability High
GHSA-3f95-mxq2-2f63 was published for gradio (pip) Apr 10, 2024 withdrawn
Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations High
CVE-2024-2196 was published for aim (pip) Apr 10, 2024
Aim Web API vulnerable to Remote Code Execution Critical
CVE-2024-2195 was published for aim (pip) Apr 10, 2024
LArkema Credited to LArkema
LocalAI Command Injection in audioToWav Critical
CVE-2024-2029 was published for github.com/go-skynet/LocalAI (Go) Apr 10, 2024
XWiki Platform remote code execution from account through UIExtension parameters Critical
CVE-2024-31997 was published for org.xwiki.platform:xwiki-platform-uiextension-api (Maven) Apr 10, 2024
XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution Critical
CVE-2024-31996 was published for org.xwiki.commons:xwiki-commons-velocity (Maven) Apr 10, 2024
zcap has incomplete expiration checks in capability chains. Moderate
CVE-2024-31995 was published for @digitalbazaar/zcap (npm) Apr 10, 2024
@fastify/secure-session: Reuse of destroyed secure session cookie High
CVE-2024-31999 was published for @fastify/secure-session (npm) Apr 10, 2024
AdamKorcz Credited to AdamKorcz, mcollina, and arthurscchan mcollina mcollina
arthurscchan arthurscchan
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database