Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,077
Erlang
29
GitHub Actions
19
Go
1,902
Maven
5,000+
npm
3,631
NuGet
638
pip
3,246
Pub
10
RubyGems
863
Rust
818
Swift
35
Unreviewed advisories
All unreviewed
5,000+

960 advisories

Loading
Prototype pollution in izatop bunt Critical
CVE-2024-38989 was published for @bunt/app (npm) Aug 12, 2024
NextChat has full-read SSRF and XSS vulnerability in /api/cors endpoint Critical
CVE-2023-49785 was published for nextchat (npm) Aug 5, 2024
nvn1729
rejetto HFS vulnerable to OS Command Execution by remote authenticated users Critical
CVE-2024-39943 was published for hfs (npm) Jul 5, 2024
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability Critical
CVE-2024-39309 was published for parse-server (npm) Jul 1, 2024
mtrezza
jsonic was discovered to contain a prototype pollution via the function empty. Critical
CVE-2024-38993 was published for jsonic (npm) Jul 1, 2024 withdrawn
wzrdtales
obx Prototype Pollution Critical
CVE-2024-36573 was published for @almela/obx (npm) Jun 17, 2024
lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management Critical
CVE-2024-5389 was published for lunary (npm) Jun 10, 2024
lunary-ai/lunary allows users unauthorized access to projects Critical
CVE-2024-4146 was published for lunary (npm) Jun 8, 2024
Jan path traversal vulnerability Critical
CVE-2024-37273 was published for @janhq/core (npm) Jun 4, 2024
Jan path traversal vulnerability Critical
CVE-2024-36858 was published for @janhq/core (npm) Jun 4, 2024
Van-QA
Blackprint @blackprint/engine Prototype Pollution issue Critical
CVE-2024-24294 was published for @blackprint/engine (npm) May 20, 2024
@valtimo/components exposes access token to form.io Critical
CVE-2024-34706 was published for @valtimo/components (npm) May 13, 2024
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability Critical
CVE-2024-32964 was published for @lobehub/chat (npm) May 10, 2024
yyzsec
xml-crypto vulnerable to XML signature verification bypass due improper verification of signature/signature spoofing Critical
CVE-2024-32962 was published for xml-crypto (npm) May 1, 2024
MySQL2 for Node Arbitrary Code Injection Critical
CVE-2024-21511 was published for mysql2 (npm) Apr 23, 2024
AWS Amplify CLI has incorrect trust policy management Critical
CVE-2024-28056 was published for @aws-amplify/cli (npm) Apr 15, 2024
mysql2 Remote Code Execution (RCE) via the readCodeFor function Critical
CVE-2024-21508 was published for mysql2 (npm) Apr 11, 2024
MailDev Remote Code Execution Critical
CVE-2024-27448 was published for maildev (npm) Apr 5, 2024
stypr
@thi.ng/paths Prototype Pollution vulnerability Critical
CVE-2024-29650 was published for @thi.ng/paths (npm) Mar 25, 2024
Server crashes on invalid Cloud Function or Cloud Job name Critical
CVE-2024-29027 was published for parse-server (npm) Mar 19, 2024
mtrezza EhsanParsania
HTTP Handling Vulnerability in the Bare server Critical
CVE-2024-27922 was published for @tomphttp/bare-server-node (npm) Mar 5, 2024
hackermondev
JSONata expression can pollute the "Object" prototype Critical
CVE-2024-27307 was published for jsonata (npm) Mar 4, 2024
AlbertSPedersen
Budibase affected by VM2 Constructor Escape Vulnerability Critical
GHSA-4g2x-vq5p-5vj6 was published for @budibase/server (npm) Mar 1, 2024
ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection Critical
CVE-2024-27298 was published for parse-server (npm) Mar 1, 2024
mtrezza EhsanParsania
@nfid/embed has compromised private key due to @dfinity/auth-client producing insecure session keys Critical
GHSA-84c3-j8r2-mcm8 was published for @nfid/embed (npm) Feb 26, 2024
ProTip! Advisories are also available from the GraphQL API