Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

29 advisories

Loading
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts Moderate
GHSA-55cf-xx38-4p9p was published for openclaw (npm) May 4, 2026
qi-scape Credited to qi-scape
OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files Moderate
CVE-2026-32008 was published for openclaw (npm) Mar 3, 2026
q1uf3ng Credited to q1uf3ng
External Control of File Name or Path in Langflow High
CVE-2025-68478 was published for langflow (pip) Dec 19, 2025
J1vvoo Credited to J1vvoo and im-soohyun im-soohyun im-soohyun
Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking Moderate
CVE-2024-7625 was published for github.com/hashicorp/nomad (Go) Aug 15, 2024
snapd failed to properly check the destination of symbolic links when extracting a snap Low
CVE-2024-29069 was published for github.com/snapcore/snapd (Go) Jul 25, 2024
HashiCorp Nomad is vulnerable to path escape through archive unpacking during migration High
CVE-2024-6717 was published for github.com/hashicorp/nomad (Go) Jul 23, 2024
dduzgun-security Credited to dduzgun-security
CometBFT is unstability during blocksync when syncing from malicious peer Moderate
GHSA-hg58-rf2h-6rr7 was published for github.com/cometbft/cometbft (Go) Jun 28, 2024
unknownfeature Credited to unknownfeature
Grafana Fine-grained access control vulnerability Critical
CVE-2021-41244 was published for github.com/grafana/grafana (Go) May 14, 2024
Spin applications with specific configuration vulnerable to potential network sandbox escape Critical
CVE-2024-32980 was published for spin-sdk (Rust) May 8, 2024
php-svg-lib lacks path validation on font through SVG inline styles Moderate
CVE-2024-25117 was published for phenx/php-svg-lib (Composer) Feb 21, 2024
Micronaut management endpoints vulnerable to drive-by localhost attack Moderate
CVE-2024-23639 was published for io.micronaut:micronaut-http-server (Maven) Feb 9, 2024
HashiCorp Nomad vulnerable to symlink attacks High
CVE-2024-1329 was published for github.com/hashicorp/nomad (Go) Feb 8, 2024
External Control of File Name or Path in h2oai/h2o-3 Critical
CVE-2023-6569 was published for h2o (pip) Dec 14, 2023
RainSignal Credited to RainSignal
in-toto vulnerable to Configuration Read From Local Directory Moderate
CVE-2023-32076 was published for in-toto (pip) May 11, 2023
Moodle External Control of File Name or Path vulnerability Moderate
CVE-2023-30943 was published for moodle/moodle (Composer) May 2, 2023
Agent-to-controller security bypass vulnerability in Jenkins BMC Compuware Source Code Download for Endevor, PDS, and ISPW Plugin Moderate
CVE-2022-43423 was published for com.compuware.jenkins:compuware-scm-downloader (Maven) Oct 19, 2022
NotMyFault Credited to NotMyFault
Agent-to-controller security bypass vulnerabilities in Jenkins Compuware Topaz for Total Test Plugin High
CVE-2022-43428 was published for com.compuware.jenkins:compuware-topaz-for-total-test (Maven) Oct 19, 2022
NotMyFault Credited to NotMyFault
Externally Controlled Reference to a Resource in Another Sphere in ruby-mysql Moderate
CVE-2021-3779 was published for ruby-mysql (RubyGems) Jun 29, 2022
phpBB Server-Side Request Forgery Vulnerability Moderate
CVE-2020-8226 was published for phpbb/phpbb (Composer) May 24, 2022
Rudloff Credited to Rudloff
ingress-nginx component for Kubernetes allows file overwrite Moderate
CVE-2020-8553 was published for k8s.io/ingress-nginx (Go) May 24, 2022
Shopware XXE Vulnerability Moderate
CVE-2017-18357 was published for shopware/shopware (Composer) May 14, 2022
Confused Deputy in Kubernetes Low
CVE-2021-25740 was published for k8s.io/kubernetes (Go) Sep 21, 2021
Confused Deputy in Kubernetes Moderate
CVE-2020-8561 was published for k8s.io/kubernetes (Go) Sep 21, 2021
ExternalName Services can be used to gain access to Envoy's admin interface High
CVE-2021-32783 was published for github.com/projectcontour/contour (Go) Aug 30, 2021
josh-ferrell Credited to josh-ferrell
Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix Moderate
CVE-2020-5412 was published for org.springframework.cloud:spring-cloud-netflix (Maven) Apr 30, 2021
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database