Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,489
Maven
5,000+
npm
5,000+
NuGet
892
pip
4,745
Pub
13
RubyGems
1,033
Rust
1,228
Swift
53
Unreviewed advisories
All unreviewed
5,000+

48 advisories

Loading
Harbor allows the use of the default password for web UI login Critical
CVE-2026-4404 was published for github.com/goharbor/harbor (Go) Mar 23, 2026
Katello uses hard coded credential Critical
CVE-2012-3503 was published for katello (RubyGems) May 17, 2022
postmodern Credited to postmodern
Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret Low
CVE-2026-27167 was published for gradio (pip) Mar 1, 2026
tenbbughunters Credited to tenbbughunters
EVE Has Partially Predetermined Vault Key Moderate
CVE-2023-43637 was published for github.com/lf-edge/eve (Go) Feb 4, 2026
Duplicate Advisory: EVE Has Partially Predetermined Vault Key High
GHSA-hx74-4wmc-fwvf was published for github.com/lf-edge/eve (Go) Sep 21, 2023 withdrawn
FUXA contains a hard-coded credential vulnerability High
CVE-2025-69971 was published for fuxa-server (npm) Feb 3, 2026
Hard-coded System User Credentials in Folio Data Export Spring module Moderate
CVE-2024-23685 was published for org.folio:mod-remote-storage (Maven) Jul 25, 2023
Duplicate Advisory: Hard-coded credentials in org.folio:mod-remote-storage Moderate
GHSA-hv5g-q4h3-64q4 was published for org.folio:mod-remote-storage (Maven) Jan 19, 2024 withdrawn
Hard-coded System User Credentials in Folio Data Export Spring module Critical
CVE-2024-23687 was published for org.folio:mod-data-export-spring (Maven) Jul 25, 2023
Duplicate Advisory: Hard-coded credentials in org.folio:mod-data-export-spring Critical
GHSA-9rhq-86fm-qxqc was published for org.folio:mod-data-export-spring (Maven) Jan 20, 2024 withdrawn
RustFS has a gRPC Hardcoded Token Authentication Bypass Critical
CVE-2025-68926 was published for rustfs (Rust) Dec 30, 2025
SQLE's JWT Secret Handler can be manipulated to use hard-coded cryptographic key Low
CVE-2025-15107 was published for github.com/actiontech/sqle (Go) Dec 27, 2025
Apache StreamPark has a hard-coded encryption key High
CVE-2025-54947 was published for org.apache.streampark:streampark (Maven) Dec 12, 2025
AstrBot is vulnerable to RCE with hard-coded JWT signing keys Critical
CVE-2025-55449 was published for astrbot (pip) Nov 14, 2025
Marven11 Credited to Marven11, Raven95676, and Soulter Raven95676 Raven95676
Soulter Soulter
Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret Moderate
CVE-2025-61926 was published for github.com/ossf/allstar (Go) Oct 10, 2025
AdamKorcz Credited to AdamKorcz and justaugustus justaugustus justaugustus
Incorrect handling of credential expiry by /nats-io/nats-server Critical
CVE-2020-26892 was published for github.com/nats-io/jwt (Go) Feb 11, 2022
hippo4j Includes Hard Coded Secret Key in JWT Creation High
CVE-2025-51606 was published for cn.hippo4j:hippo4j-core (Maven) Aug 21, 2025
Dragonfly2 has hard coded cyptographic key Critical
CVE-2023-27584 was published for d7y.io/dragonfly/v2 (Go) Sep 19, 2024
cokeBeer Credited to cokeBeer and gaius-qi gaius-qi gaius-qi
Apache Submarine Commons Utils has a hard-coded secret Moderate
CVE-2024-36264 was published for apache-submarine (Maven) Jun 12, 2024
Keycloak Build Process Exposes Sensitive Data High
CVE-2024-10451 was published for org.keycloak:keycloak-quarkus-server (Maven) Nov 25, 2024
shawkins Credited to shawkins
Hard coded credentials in FreeTAKServer High
CVE-2022-25510 was published for FreeTAKServer (pip) Mar 12, 2022
Duplicate Advisory: Keycloak Build Process Exposes Sensitive Data Moderate
GHSA-jcgg-mg9g-p9wf was published for org.keycloak:keycloak-quarkus-server (Maven) Nov 25, 2024 withdrawn
Apache Doris hardcoded key and IV High
CVE-2022-23942 was published for pydoris (pip) Apr 27, 2022
EverShop at risk to unauthorized access via weak HMAC secret Critical
CVE-2023-46943 was published for @evershop/evershop (npm) Jan 13, 2024
VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder Critical
CVE-2024-9486 was published for github.com/kubernetes-sigs/image-builder (Go) Oct 15, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database