Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

20 advisories

Loading
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection High
CVE-2026-54090 was published for github.com/filebrowser/filebrowser/v2 (Go) Jun 12, 2026
RajChowdhury240 Credited to RajChowdhury240
NietThijmen ShoppingCart: Command injection in the connect function High
CVE-2024-53412 was published for github.com/NietThijmen/ShoppingCart (Go) Apr 15, 2026
Flannel has cross-node remote code execution via extension backend BackendData injection High
CVE-2026-32241 was published for github.com/flannel-io/flannel (Go) Mar 27, 2026
shachartal Credited to shachartal
DigitalOcean Droplet Agent: Command Injection via Metadata Service Endpoint High
CVE-2026-24516 was published for github.com/digitalocean/droplet-agent (Go) Mar 23, 2026
gardenctl is vulnerable to Command Injection when used with non‑POSIX shells High
CVE-2025-67508 was published for github.com/gardener/gardenctl-v2 (Go) Dec 11, 2025
petersutter Credited to petersutter, donistz, JordanJordanov, and HeckEK donistz donistz
JordanJordanov JordanJordanov HeckEK HeckEK
sqls-server/sqls is vulnerable to command injection in the config command High
CVE-2025-61141 was published for github.com/sqls-server/sqls (Go) Oct 30, 2025
1Panel agent certificate verification bypass leading to arbitrary command execution High
CVE-2025-54424 was published for github.com/1Panel-dev/1Panel/core (Go) Aug 1, 2025
lizicoco Credited to lizicoco
File Browser vulnerable to command execution allowlist bypass High
CVE-2025-52995 was published for github.com/filebrowser/filebrowser (Go) Jun 30, 2025
mtausig Credited to mtausig and hacdias hacdias hacdias
File Browser: Command Execution not Limited to Scope High
CVE-2025-52904 was published for github.com/filebrowser/filebrowser/v2 (Go) Jun 30, 2025
mtausig Credited to mtausig and hacdias hacdias hacdias
filebrowser Allows Shell Commands to Spawn Other Commands High
CVE-2025-52903 was published for github.com/filebrowser/filebrowser/v2 (Go) Jun 27, 2025
mtausig Credited to mtausig and hacdias hacdias hacdias
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer High
CVE-2024-52308 was published for github.com/cli/cli (Go) Nov 14, 2024
sarahbarili Credited to sarahbarili, cmbrose, BlueSzy, andyfeller, BagToad, and Ry0taK cmbrose cmbrose
BlueSzy BlueSzy andyfeller andyfeller BagToad BagToad Ry0taK Ry0taK
HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation High
CVE-2024-6257 was published for github.com/hashicorp/go-getter (Go) Jun 25, 2024
CRI-O vulnerable to an arbitrary systemd property injection High
CVE-2024-3154 was published for github.com/cri-o/cri-o (Go) Apr 30, 2024
AkihiroSuda Credited to AkihiroSuda and cclerget cclerget cclerget
Withdrawn: Runc allows an arbitrary systemd property to be injected High
GHSA-c5pj-mqfh-rvc3 was published for github.com/opencontainers/runc (Go) Apr 26, 2024 withdrawn
AkihiroSuda Credited to AkihiroSuda
Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268) High
CVE-2024-22198 was published for github.com/0xJacky/Nginx-UI (Go) Jan 11, 2024
jorgectf Credited to jorgectf and Hintay Hintay Hintay
Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269) High
CVE-2024-22197 was published for github.com/0xJacky/Nginx-UI (Go) Jan 11, 2024
jorgectf Credited to jorgectf and Hintay Hintay Hintay
Snowflake Golang Driver vulnerable to Command Injection High
CVE-2023-34231 was published for github.com/snowflakedb/gosnowflake (Go) Jun 9, 2023
Command injection in Git package in Wrangler High
CVE-2022-31249 was published for github.com/rancher/wrangler (Go) Jan 25, 2023
cokeBeer Credited to cokeBeer, aruneko, and tdunlap607 aruneko aruneko
tdunlap607 tdunlap607
Improper token validation leading to code execution in Teleport High
CVE-2022-36633 was published for github.com/gravitational/teleport (Go) Aug 25, 2022
Apache Thrift Go Library Command Injection High
CVE-2016-5397 was published for github.com/apache/thrift (Go) May 13, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database