Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,077
Erlang
29
GitHub Actions
19
Go
1,903
Maven
5,000+
npm
3,632
NuGet
638
pip
3,249
Pub
10
RubyGems
864
Rust
818
Swift
35
Unreviewed advisories
All unreviewed
5,000+

17 advisories

Loading
2FA bypass in Wagtail through new device path High
CVE-2019-16766 was published for wagtail-2fa (pip) Nov 29, 2019
Authentication Bypass by Spoofing in express-cart High
CVE-2018-16483 was published for express-cart (npm) Feb 7, 2019
Authentication Bypass in Apache Cassandra High
CVE-2020-17516 was published for org.apache.cassandra:cassandra-all (Maven) Feb 9, 2022
Authentication Bypass High
CVE-2021-29441 was published for com.alibaba.nacos:nacos-common (Maven) Apr 27, 2021
SAML authentication vulnerability due to stdlib XML parsing High
CVE-2020-26276 was published for github.com/fleetdm/fleet/v4 (Go) Feb 11, 2022
HTTP Method Spoofing High
CVE-2021-43807 was published for org.opencastproject:opencast-common (Maven) Dec 14, 2021
lkiesow
Parse Server option `masterKeyIps` vulnerability to IP spoofing High
CVE-2023-22474 was published for parse-server (npm) Jan 31, 2023
dblythy
Duplicate advisory: High severity vulnerability that affects passport-wsfed-saml2 High
GHSA-7fpw-cfc4-3p2c was published for passport-wsfed-saml2 (npm) Dec 28, 2017 withdrawn
passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token High
CVE-2017-16897 was published for passport-wsfed-saml2 (npm) Jun 21, 2023
Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault High
CVE-2020-16250 was published for github.com/hashicorp/vault (Go) Aug 2, 2021
Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding High
CVE-2018-7160 was published for node-inspector (npm) May 13, 2022 withdrawn
omniauth-apple allows attacker to fake their email address during authentication High
CVE-2020-26254 was published for omniauth-apple (RubyGems) Dec 8, 2020
davidtaylorhq
Apache HugeGraph-Server: Bypass whitelist in Auth mode High
CVE-2024-27349 was published for org.apache.hugegraph:hugegraph-api (Maven) Apr 22, 2024
OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled High
CVE-2024-32977 was published for OctoPrint (pip) May 14, 2024
jacopotediosi
Ollama DNS rebinding vulnerability High
CVE-2024-28224 was published for github.com/ollama/ollama (Go) Apr 8, 2024
Jenkins Script Security Plugin sandbox bypass vulnerability High
CVE-2024-34145 was published for org.jenkins-ci.plugins:script-security (Maven) May 2, 2024
Apache SeaTunnel Web Authentication vulnerability High
CVE-2023-48396 was published for org.apache.seatunnel:seatunnel-web (Maven) Jul 30, 2024
ProTip! Advisories are also available from the GraphQL API