GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
3,944
Erlang
29
GitHub Actions
16
Go
1,729
Maven
4,955
npm
3,489
NuGet
607
pip
3,056
Pub
10
RubyGems
832
Rust
778
Swift
34
Unreviewed advisories
All unreviewed
5,000+
121 advisories
Filter by severity
titon/framework vulnerable to Remote Code Execution via Chosen-Ciphertext Attack
Critical
GHSA-q3jm-v27q-jfww
was published
for
titon/framework
(Composer)
May 30, 2024
Grafana Plugin signature bypass
Moderate
CVE-2022-31123
was published
for
github.com/grafana/grafana
(Go)
May 14, 2024
TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController
Moderate
CVE-2024-34358
was published
for
typo3/cms-core
(Composer)
May 14, 2024
xml-crypto vulnerable to XML signature verification bypass due improper verification of signature/signature spoofing
Critical
CVE-2024-32962
was published
for
xml-crypto
(npm)
May 1, 2024
Keycloak vulnerable to impersonation via logout token exchange
Low
CVE-2023-0657
was published
for
org.keycloak:keycloak-services
(Maven)
Apr 17, 2024
google-oauth-java-client improperly verifies cryptographic signature
High
CVE-2021-22573
was published
for
com.google.oauth-client:google-oauth-client
(Maven)
Apr 9, 2024
Improper Verification of Cryptographic Signature in aws-encryption-sdk-java
Moderate
CVE-2024-23680
was published
for
com.amazonaws:aws-encryption-sdk-java
(Maven)
Jan 19, 2024
Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC
Critical
CVE-2024-21669
was published
for
aries-cloudagent
(pip)
Jan 9, 2024
yiisoft/yii2-authclient's Oauth2 PKCE implementation is vulnerable
Moderate
CVE-2023-50714
was published
for
yiisoft/yii2-authclient
(Composer)
Dec 18, 2023
Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.
Moderate
CVE-2023-47122
was published
for
github.com/sigstore/gitsign
(Go)
Nov 14, 2023
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
High
CVE-2023-46234
was published
for
browserify-sign
(npm)
Oct 26, 2023
light-oauth2 missing public key verification
Moderate
CVE-2023-31580
was published
for
com.networknt:light-oauth2
(Maven)
Oct 25, 2023
free5GC udm vulnerable to Invalid Curve Attack
High
CVE-2023-46324
was published
for
github.com/free5gc/udm
(Go)
Oct 23, 2023
AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
Moderate
CVE-2023-42811
was published
for
aes-gcm
(Rust)
Sep 22, 2023
Archive spoofing vulnerability in borgbackup
Moderate
CVE-2023-36811
was published
for
borgbackup
(pip)
Aug 30, 2023
Cleartext Signed Message Signature Spoofing in openpgp
Moderate
CVE-2023-41037
was published
for
openpgp
(npm)
Aug 29, 2023
@node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError
Moderate
CVE-2023-40178
was published
for
@node-saml/node-saml
(npm)
Aug 21, 2023
notation-go's verification bypass can cause users to verify the wrong artifact
High
CVE-2023-33959
was published
for
github.com/notaryproject/notation-go
(Go)
Jun 6, 2023
Signature validation bypass in github.com/moov-io/signedxml
Critical
CVE-2023-34205
was published
for
github.com/moov-io/signedxml
(Go)
May 30, 2023
Incorrect signature verification in django-ses
Moderate
CVE-2023-33185
was published
for
django-ses
(pip)
May 22, 2023
NATS TLS certificate common name validation bypass
Moderate
GHSA-wvc4-j7g5-4f79
was published
for
nats
(Rust)
Mar 27, 2023
russh may use insecure Diffie-Hellman keys
Moderate
CVE-2023-28113
was published
for
russh
(Rust)
Mar 17, 2023
OpenZeppelin Contracts contains Improper Verification of Cryptographic Signature
Moderate
CVE-2023-23940
was published
for
openzeppelin-cairo-contracts
(pip)
Feb 2, 2023
Cargo did not verify SSH host keys
Moderate
CVE-2022-46176
was published
for
cargo
(Rust)
Jan 10, 2023
go-saml's XML Digital Signatures use SHA-1
Moderate
CVE-2020-36563
was published
for
github.com/RobotsAndPencils/go-saml
(Go)
Dec 28, 2022
ProTip!
Advisories are also available from the
GraphQL API