GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,273
Erlang
31
GitHub Actions
21
Go
2,055
Maven
5,000+
npm
3,739
NuGet
668
pip
3,417
Pub
12
RubyGems
891
Rust
872
Swift
36
Unreviewed advisories
All unreviewed
5,000+
67 advisories
Filter by severity
Improper Input Validation in Symfony
Critical
CVE-2019-11325
was published
for
symfony/symfony
(Composer)
Feb 12, 2020
Secret disclosure when containing characters that become URI encoded
High
CVE-2020-26226
was published
for
semantic-release
(npm)
Nov 18, 2020
Control character injection in console output in github.com/ipfs/go-ipfs
Moderate
CVE-2020-26283
was published
for
github.com/ipfs/go-ipfs
(Go)
Jun 23, 2021
Insufficient output escaping of attachment names in PHPMailer
High
CVE-2020-13625
was published
for
phpmailer/phpmailer
(Composer)
May 27, 2020
Cross-site Scripting in Filter Stream Converter Application in XWiki Platform
High
CVE-2022-29258
was published
for
org.xwiki.platform:xwiki-platform-filter-ui
(Maven)
Jun 1, 2022
Cross-site Scripting in wiki manager join wiki page
High
CVE-2022-29252
was published
for
org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki
(Maven)
May 25, 2022
Cross-site Scripting in the Flamingo theme manager
High
CVE-2022-29251
was published
for
org.xwiki.platform:xwiki-platform-flamingo-theme-ui
(Maven)
May 25, 2022
Log Injection in Apache Sling Commons Log and Apache Sling API
Moderate
CVE-2022-32549
was published
for
org.apache.sling:org.apache.sling.api
(Maven)
Jun 23, 2022
Shell command injection in gitea
High
CVE-2022-30781
was published
for
code.gitea.io/gitea
(Go)
May 17, 2022
OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value
Critical
CVE-2020-36599
was published
for
omniauth
(RubyGems)
Aug 19, 2022
keycloak Self Stored Cross-site Scripting vulnerability
Critical
CVE-2021-20195
was published
for
org.keycloak:keycloak-core
(Maven)
Jun 8, 2021
Improper Encoding or Escaping of Output and Injection in LibreNMS
High
CVE-2019-12463
was published
for
librenms/librenms
(Composer)
Oct 11, 2019
Improper Encoding or Escaping of Output in Asset Metadata Component
High
CVE-2021-39170
was published
for
pimcore/pimcore
(Composer)
Sep 1, 2021
Log value insertion in craftercms
Moderate
CVE-2021-23266
was published
for
org.craftercms:craftercms
(Maven)
May 17, 2022
Gin's default logger allows unsanitized input that can allow remote attackers to inject arbitrary log lines
High
CVE-2020-36567
was published
for
github.com/gin-gonic/gin
(Go)
Dec 27, 2022
Authentication Bypass by Alternate Name in Apache Tomcat
Moderate
CVE-2021-30640
was published
for
org.apache.tomcat:tomcat
(Maven)
Aug 13, 2021
XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile
Critical
CVE-2023-26472
was published
for
org.xwiki.platform:xwiki-platform-icon-ui
(Maven)
Mar 3, 2023
Path traversal in xwiki-platform-skin-skinx
Moderate
CVE-2022-23620
was published
for
org.xwiki.platform:xwiki-platform-skin-skinx
(Maven)
Feb 9, 2022
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in org.xwiki.platform:xwiki-platform-menu-ui
Critical
CVE-2022-41934
was published
for
org.xwiki.platform:xwiki-platform-menu-ui
(Maven)
Nov 21, 2022
XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection
Critical
CVE-2022-36100
was published
for
org.xwiki.platform.applications:xwiki-application-tag
(Maven)
Sep 16, 2022
XWiki Platform Wiki UI Main Wiki Eval Injection vulnerability
Critical
CVE-2022-36099
was published
for
org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki
(Maven)
Sep 16, 2022
Command injection in Apache Maven maven-shared-utils
Critical
CVE-2022-29599
was published
for
org.apache.maven.shared:maven-shared-utils
(Maven)
May 24, 2022
Cross-site Scripting in Jenkins Random String Parameter Plugin
Moderate
CVE-2022-30966
was published
for
org.jenkins-ci.plugins:random-string-parameter
(Maven)
May 18, 2022
WooCommerce WordPress plugin before 6.6.0 vulnerable to stored HTML injection
Moderate
CVE-2022-2099
was published
for
woocommerce/woocommerce
(Composer)
Jul 18, 2022
Heron allows CRLF log injection
Critical
CVE-2021-42010
was published
for
org.apache.heron:heron-api
(Maven)
Oct 24, 2022
ProTip!
Advisories are also available from the
GraphQL API