GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,134
Erlang
30
GitHub Actions
19
Go
1,941
Maven
5,000+
npm
3,681
NuGet
650
pip
3,299
Pub
11
RubyGems
878
Rust
830
Swift
35
Unreviewed advisories
All unreviewed
5,000+
406 advisories
Filter by severity
Improper Authentication vulnerability in Apache Solr
Critical
CVE-2024-45216
was published
for
org.apache.solr:solr
(Maven)
Oct 16, 2024
Matrix JavaScript SDK's key history sharing could share keys to malicious devices
High
CVE-2024-47080
was published
for
matrix-js-sdk
(npm)
Oct 15, 2024
PAM module may allow accessing with the credentials of another user
High
CVE-2024-9313
was published
for
github.com/ubuntu/authd
(Go)
Oct 3, 2024
Jenkins OpenId Connect Authentication Plugin lacks issuer claim validation
Critical
CVE-2024-47807
was published
for
org.jenkins-ci.plugins:oic-auth
(Maven)
Oct 2, 2024
Jenkins OpenId Connect Authentication Plugin lacks audience claim validation
Critical
CVE-2024-47806
was published
for
org.jenkins-ci.plugins:oic-auth
(Maven)
Oct 2, 2024
Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials
Moderate
CVE-2024-45042
was published
for
github.com/ory/kratos
(Go)
Sep 26, 2024
Mautic vulnerable to Improper Access Control in UI upgrade process
High
CVE-2022-25768
was published
for
mautic/core
(Composer)
Sep 18, 2024
OpenDaylight Authentication, Authorization and Accounting (AAA) peer impersonation vulnerability
Moderate
CVE-2024-46943
was published
for
org.opendaylight.aaa:aaa-artifacts
(Maven)
Sep 16, 2024
Lunary Improper Authentication vulnerability
Moderate
CVE-2024-6582
was published
for
lunary
(npm)
Sep 13, 2024
Eclipse Dataspace Components's ConsumerPullTransferTokenValidationApiController doesn't check for token validit
Moderate
CVE-2024-8642
was published
for
org.eclipse.edc:transfer-data-plane
(Maven)
Sep 11, 2024
Flowise Authentication Bypass vulnerability
High
CVE-2024-8181
was published
for
flowise
(npm)
Aug 27, 2024
Ghost's improper authentication allows access to member information and actions
Moderate
CVE-2024-43409
was published
for
@tryghost/portal
(npm)
Aug 20, 2024
Spring Security Missing Authorization vulnerability
Moderate
CVE-2024-38810
was published
for
org.springframework.security:spring-security-core
(Maven)
Aug 20, 2024
s2n-tls's mTLS API ordering may skip client authentication
Moderate
GHSA-857q-xmph-p2v5
was published
for
s2n-tls
(Rust)
Aug 9, 2024
RobotsAndPencils go-saml authentication bypass vulnerability
High
CVE-2023-48703
was published
for
github.com/RobotsAndPencils/go-saml
(Go)
Aug 5, 2024
Alpine allows Authentication Filter bypass
Moderate
CVE-2022-23554
was published
for
us.springett:alpine
(Maven)
Aug 5, 2024
pREST vulnerable to jwt bypass + sql injection
Critical
GHSA-wm25-j4gw-6vr3
was published
for
github.com/prest/prest
(Go)
Jul 30, 2024
Craft CMS Allows TOTP Token To Stay Valid After Use
Moderate
CVE-2024-41800
was published
for
craftcms/cms
(Composer)
Jul 25, 2024
matrix-sdk-crypto's `UserIdentity::is_verified` not checking verification status of own user identity while performing the check
Moderate
CVE-2024-40648
was published
for
matrix-sdk-crypto
(Rust)
Jul 18, 2024
Skupper uses a static cookie secret for the openshift oauth-proxy
Moderate
CVE-2024-6535
was published
for
github.com/skupperproject/skupper
(Go)
Jul 17, 2024
SurrealDB vulnerable to Improper Authentication when Changing Databases as Scope User
Moderate
GHSA-gh9f-6xm2-c4j2
was published
for
surrealdb
(Rust)
Jul 11, 2024
SFTPGo has insufficient access control for password reset
Moderate
CVE-2024-37897
was published
for
github.com/drakkan/sftpgo/v2
(Go)
Jun 20, 2024
PocketBase performs password auth and OAuth2 unverified email linking
Moderate
CVE-2024-38351
was published
for
github.com/pocketbase/pocketbase
(Go)
Jun 18, 2024
Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider
High
CVE-2023-22650
was published
for
github.com/rancher/rancher
(Go)
Jun 17, 2024
Firefly III has a MFA bypass in oauth flow
Moderate
CVE-2024-37893
was published
for
grumpydictator/firefly-iii
(Composer)
Jun 17, 2024
ProTip!
Advisories are also available from the
GraphQL API