Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,454
Erlang
33
GitHub Actions
22
Go
2,153
Maven
5,000+
npm
3,818
NuGet
693
pip
3,492
Pub
12
RubyGems
902
Rust
903
Swift
38
Unreviewed advisories
All unreviewed
5,000+

3,492 advisories

Loading
unstructured XML External Entity (XXE) Moderate
CVE-2024-46455 was published for unstructured (pip) Dec 9, 2024
Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions Low
CVE-2024-53947 was published for apache-superset (pip) Dec 9, 2024
Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled High
CVE-2024-53949 was published for apache-superset (pip) Dec 9, 2024
Apache Superset: Error verbosity exposes metadata in analytics databases Moderate
CVE-2024-53948 was published for apache-superset (pip) Dec 9, 2024
Django denial-of-service in django.utils.html.strip_tags() Moderate
CVE-2024-53907 was published for Django (pip) Dec 6, 2024
Django SQL injection in HasKey(lhs, rhs) on Oracle High
CVE-2024-53908 was published for Django (pip) Dec 6, 2024
pyspider Cross-Site Request Forgery (CSRF) via the Flask endpoints High
CVE-2024-39163 was published for pyspider (pip) Dec 4, 2024
Mobile Security Framework (MobSF) Stored Cross-Site Scripting Vulnerability in "Diff or Compare" Functionality Moderate
CVE-2024-53999 was published for mobsf (pip) Dec 3, 2024
lDomenx
Synapse Matrix has a partial room state leak via Sliding Sync Moderate
CVE-2024-53867 was published for matrix-synapse (pip) Dec 3, 2024
Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders High
CVE-2024-53863 was published for matrix-synapse (pip) Dec 3, 2024
Synapse allows a a malformed invite to break the invitee's `/sync` High
CVE-2024-52815 was published for matrix-synapse (pip) Dec 3, 2024
Synapse allows unsupported content types to lead to memory exhaustion High
CVE-2024-52805 was published for matrix-synapse (pip) Dec 3, 2024
Synapse's unauthenticated writes to the media repository allow planting of problematic content Moderate
CVE-2024-37303 was published for matrix-synapse (pip) Dec 3, 2024
Synapse denial of service through media disk space consumption High
CVE-2024-37302 was published for matrix-synapse (pip) Dec 3, 2024
Denial of service (DoS) via deformation `multipart/form-data` boundary High
CVE-2024-53981 was published for python-multipart (pip) Dec 2, 2024
Startr4ck defnull
mnqazi
Python package "zhmcclient" stores passwords in clear text in its HMC and API logs Moderate
CVE-2024-53865 was published for zhmcclient (pip) Dec 2, 2024
andy-maier
PyJWT Issuer field partial matches allowed Low
CVE-2024-53861 was published for PyJWT (pip) Dec 2, 2024
fabianbadoi
check-jsonschema default caching for remote schemas allows for cache confusion Moderate
CVE-2024-53848 was published for check-jsonschema (pip) Dec 2, 2024
sethmlarson sirosen
pyspider Cross-site Scripting vulnerability Moderate
CVE-2024-39162 was published for pyspider (pip) Nov 29, 2024
Password Policy Bypass Vulnerability in Fides Webserver User Accept Invite API Low
CVE-2024-52008 was published for ethyca-fides (pip) Nov 26, 2024
h0wl andres-torres-marroquin
daveqnet erosselli
aiocpa contains credential harvesting code High
GHSA-486g-47cc-8wxf was published for aiocpa (pip) Nov 25, 2024
MLflow's excessive directory permissions allow local privilege escalation High
CVE-2024-27134 was published for mlflow (pip) Nov 25, 2024
libre-chat Path Traversal vulnerability Moderate
CVE-2024-52787 was published for libre-chat (pip) Nov 25, 2024
OpenStack Neutron can use an incorrect ID during policy enforcement Moderate
CVE-2024-53916 was published for neutron (pip) Nov 25, 2024
bottarocarlo
virtualenv allows command injection through activation scripts for a virtual environment High
CVE-2024-53899 was published for virtualenv (pip) Nov 24, 2024
lboynton
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database