GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
56 advisories
Filter by severity
Elvish vulnerable to remote code execution via the web UI backend
High
CVE-2021-41088
was published
for
github.com/elves/elvish
(Go)
Sep 23, 2021
Remote code execution in Eclipse Theia
High
CVE-2021-34435
was published
for
@theia/mini-browser
(npm)
Sep 2, 2021
Origin Validation Error in Apache NiFi
High
CVE-2017-7667
was published
for
org.apache.nifi:nifi
(Maven)
May 17, 2022
Origin Validation Error in Magento 2
High
CVE-2020-8818
was published
for
cardgate/magento2
(Composer)
Oct 12, 2021
RubyGems has Origin Validation Error vulnerability
High
CVE-2017-0902
was published
for
rubygems-update
(RubyGems)
May 13, 2022
HashiCorp Consul vulnerable to Origin Validation Error
High
CVE-2019-9764
was published
for
github.com/hashicorp/consul
(Go)
May 13, 2022
CardGate Payments plugin for WooCommerce does not validate request origin
High
CVE-2020-8819
was published
for
cardgate/woocommerce
(Composer)
May 24, 2022
Backend Same-Site Request Forgery in TYPO3 CMS
High
CVE-2020-11069
was published
for
typo3/cms
(Composer)
May 13, 2020
Keycloak path traversal vulnerability in the redirect validation
High
CVE-2024-2419
was published
for
org.keycloak:keycloak-services
(Maven)
Apr 17, 2024
Cross-site WebSocket hijacking vulnerability in the Jenkins CLI
High
CVE-2024-23898
was published
for
org.jenkins-ci.main:jenkins-core
(Maven)
Jan 24, 2024
Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS
High
CVE-2024-1249
was published
for
org.keycloak:keycloak-services
(Maven)
Apr 17, 2024
Flowise Cors Misconfiguration in packages/server/src/index.ts
High
CVE-2024-36421
was published
for
flowise
(npm)
Aug 5, 2024
Cookie and header exposure in twisted
High
CVE-2022-21712
was published
for
Twisted
(pip)
Feb 7, 2022
Gradios's CORS origin validation is not performed when the request has a cookie
High
CVE-2024-47084
was published
for
gradio
(pip)
Oct 10, 2024
Feast Cross-Origin Resource Sharing vulnerability
High
CVE-2024-11602
was published
for
feast
(pip)
Mar 20, 2025
Prefect CORS (Cross-Origin Resource Sharing) misconfiguration
High
CVE-2024-8183
was published
for
prefect
(pip)
Mar 20, 2025
Ollama DNS rebinding vulnerability
High
CVE-2024-28224
was published
for
github.com/ollama/ollama
(Go)
Apr 8, 2024
Phoenix before 1.6.14 mishandles check_origin wildcarding
High
CVE-2022-42975
was published
for
phoenix
(Erlang)
Oct 17, 2022
pgadmin4 is affected by a Cross-Origin Opener Policy (COOP) vulnerability
High
CVE-2025-9636
was published
for
pgadmin4
(pip)
Sep 5, 2025
Neo4j Cypher MCP server is vulnerable to DNS rebinding
High
CVE-2025-10193
was published
for
mcp-neo4j-cypher
(pip)
Sep 11, 2025
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
High
CVE-2025-59845
was published
for
@apollo/explorer
(npm)
Sep 26, 2025
MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation
High
CVE-2025-14279
was published
for
mlflow
(pip)
Jan 12, 2026
Feathers has an origin validation bypass via prefix matching
High
CVE-2026-27192
was published
for
@feathersjs/authentication-oauth
(npm)
Feb 19, 2026
ProTip!
Advisories are also available from the
GraphQL API