Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
43
Go
3,181
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,474
Pub
12
RubyGems
991
Rust
1,185
Swift
51
Unreviewed advisories
All unreviewed
5,000+

12 advisories

Loading
markdown2 is vulnerable to cross-site scripting Moderate
CVE-2018-5773 was published for markdown2 (pip) Jul 12, 2018
woodruffw Credited to woodruffw
Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts` Low
CVE-2024-52587 was published for step-security/harden-runner (GitHub Actions) Nov 18, 2024
woodruffw Credited to woodruffw
Artifact poisoning vulnerability in action-download-artifact v5 and earlier High
GHSA-5xr6-xhww-33m4 was published for dawidd6/action-download-artifact (GitHub Actions) Nov 25, 2024
woodruffw Credited to woodruffw
sigstore has insufficient validation of integration timestamp during verification Low
CVE-2024-55655 was published for sigstore (pip) Dec 11, 2024
woodruffw Credited to woodruffw and Hayden-IO Hayden-IO Hayden-IO
pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution High
CVE-2024-56327 was published for pyrage (pip) Dec 19, 2024
gaby Credited to gaby and woodruffw woodruffw woodruffw
rfc3161-client has insufficient verification for timestamp response signatures Critical
CVE-2025-52556 was published for rfc3161-client (pip) Jun 20, 2025
jku Credited to jku and woodruffw woodruffw woodruffw
uv allows ZIP payload obfuscation through parsing differentials Moderate
CVE-2025-54368 was published for uv (pip) Aug 7, 2025
charliermarsh Credited to charliermarsh, zanieb, woodruffw, thatch, and calebbrown zanieb zanieb
woodruffw woodruffw thatch thatch calebbrown calebbrown
PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps Low
GHSA-vxmw-7h4f-hqxh was published for pypa/gh-action-pypi-publish (GitHub Actions) Sep 4, 2025
woodruffw Credited to woodruffw
uv has differential in tar extraction with PAX headers Low
GHSA-w476-p2h3-79g9 was published for uv (pip) Oct 21, 2025
woodruffw Credited to woodruffw and zanieb zanieb zanieb
uv allows ZIP payload obfuscation through parsing differentials Moderate
GHSA-pqhf-p39g-3x64 was published for uv (pip) Oct 29, 2025
calebbrown Credited to calebbrown, woodruffw, and zanieb woodruffw woodruffw
zanieb zanieb
astral-tokio-tar has a path traversal in tar extraction Moderate
CVE-2025-59825 was published for astral-tokio-tar (Rust) Sep 23, 2025
calebbrown Credited to calebbrown, woodruffw, charliermarsh, and zanieb woodruffw woodruffw
charliermarsh charliermarsh zanieb zanieb
astral-tokio-tar Vulnerable to PAX Header Desynchronization High
CVE-2025-62518 was published for astral-tokio-tar (Rust) Oct 21, 2025
woodruffw Credited to woodruffw, tycho, azenla, anners, mnm678, zanieb, and joshbressers tycho tycho
azenla azenla anners anners mnm678 mnm678 zanieb zanieb joshbressers joshbressers
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database