Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,233
Erlang
31
GitHub Actions
20
Go
1,992
Maven
5,000+
npm
3,709
NuGet
661
pip
3,346
Pub
11
RubyGems
884
Rust
846
Swift
36
Unreviewed advisories
All unreviewed
5,000+

3,710 advisories

Loading
Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify High
GHSA-m4gq-x24j-jpmf was published for mermaid (npm) Oct 22, 2024
aloisklink sidharthv96
ashishjain0512 mlevy-parasoft byt3n33dl3
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section Moderate
CVE-2024-47819 was published for @umbraco-cms/backoffice (npm) Oct 22, 2024
DuongPhamm
secp256k1-node allows private key extraction over ECDH High
CVE-2024-48930 was published for secp256k1 (npm) Oct 21, 2024
ChALkeR jprichardson
Denial of service in http-proxy-middleware High
CVE-2024-21536 was published for http-proxy-middleware (npm) Oct 19, 2024
ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function Low
CVE-2024-9506 was published for vue (npm) Oct 15, 2024
m3t3kh4n
Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room High
CVE-2024-47824 was published for matrix-react-sdk (npm) Oct 15, 2024
dkasak
Matrix JavaScript SDK's key history sharing could share keys to malicious devices High
CVE-2024-47080 was published for matrix-js-sdk (npm) Oct 15, 2024
dkasak
Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy Critical
CVE-2024-48914 was published for @vendure/asset-server-plugin (npm) Oct 15, 2024
Hono allows bypass of CSRF Middleware by a request without Content-Type header. Moderate
CVE-2024-48913 was published for hono (npm) Oct 15, 2024
KageShiron MathurAditya724
Valid ECDSA signatures erroneously rejected in Elliptic Low
CVE-2024-48948 was published for elliptic (npm) Oct 15, 2024
martincostello IchordeDionysos
Cross site scripting in markdown-to-jsx Moderate
CVE-2024-21535 was published for markdown-to-jsx (npm) Oct 15, 2024
DOM Clobbering Gadget found in astro's client-side router that leads to XSS Moderate
CVE-2024-47885 was published for astro (npm) Oct 14, 2024
jackfromeast ishmeals
Denial of Service condition in Next.js image optimization Moderate
CVE-2024-47831 was published for next (npm) Oct 14, 2024
angular-base64-upload vulnerable to unauthenticated remote code execution Critical
CVE-2024-42640 was published for angular-base64-upload (npm) Oct 11, 2024
rvizx
DOMpurify has a nesting-based mXSS High
CVE-2024-47875 was published for dompurify (npm) Oct 11, 2024
bastien-roucaries eslerm
JSONPath Plus Remote Code Execution (RCE) Vulnerability Critical
CVE-2024-21534 was published for jsonpath-plus (Maven) Oct 11, 2024
jdong10
Elliptic's verify function omits uniqueness validation Low
CVE-2024-48949 was published for elliptic (npm) Oct 10, 2024
Markus-MS
ggit is vulnerable to Arbitrary Argument Injection via the clone() API Moderate
CVE-2024-21533 was published for ggit (npm) Oct 8, 2024
SAP HANA Node.js client package vulnerable to Prototype Pollution Moderate
CVE-2024-45277 was published for @sap/hana-client (npm) Oct 8, 2024
ggit is vulnerable to Command Injection via the fetchTags(branch) API Moderate
CVE-2024-21532 was published for ggit (npm) Oct 8, 2024
Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page Moderate
GHSA-pf56-h9qf-rxq4 was published for @saltcorn/server (npm) Oct 7, 2024
dellalibera
Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability High
CVE-2024-47818 was published for @saltcorn/server (npm) Oct 7, 2024
dellalibera
cookie accepts cookie name, path, and domain with out of bounds characters Low
CVE-2024-47764 was published for cookie (npm) Oct 4, 2024
Parse Server's custom object ID allows to acquire role privileges High
CVE-2024-47183 was published for parse-server (npm) Oct 4, 2024
mstniy mtrezza
@saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plugins using git source High
GHSA-fm76-w8jw-xf8m was published for @saltcorn/plugins-loader (npm) Oct 3, 2024
dellalibera
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database