GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
23 advisories
Filter by severity
pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes
High
CVE-2026-55698
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Repository-controlled configDependencies can select a pacquet native install engine
High
CVE-2026-55697
was published
for
pnpm
(npm)
Jun 26, 2026
Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY
High
GHSA-gv7w-rqvm-qjhr
was published
for
esbuild
(npm)
Jun 12, 2026
•
withdrawn
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark
Critical
CVE-2026-45058
was published
for
electerm
(npm)
May 14, 2026
ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack
High
CVE-2026-28500
was published
for
onnx
(pip)
Mar 16, 2026
stigmem-node's unsigned plugin override could be enabled without a second explicit acknowledgment
High
GHSA-w7pm-9g55-mxfm
was published
for
stigmem-node
(pip)
May 29, 2026
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
High
CVE-2026-42575
was published
for
chainguard.dev/apko
(Go)
May 4, 2026
Axios npm Supply Chain Incident Impacting @usebruno/cli
Critical
CVE-2026-34841
was published
for
@usebruno/cli
(npm)
Apr 2, 2026
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
High
CVE-2025-69263
was published
for
pnpm
(npm)
Jan 7, 2026
Sinatra vulnerable to Reflected File Download attack
High
CVE-2022-45442
was published
for
sinatra
(RubyGems)
Nov 30, 2022
RuoYi vulnerable to arbitrary file download
High
CVE-2023-27025
was published
for
com.ruoyi:ruoyi
(Maven)
Apr 2, 2023
Gradio lacks integrity checking on the downloaded FRP client
High
CVE-2024-47867
was published
for
gradio
(pip)
Oct 10, 2024
Django vulnerable to Reflected File Download attack
High
CVE-2022-36359
was published
for
Django
(pip)
Aug 11, 2022
Cargo prior to Rust 1.26.0 may download the wrong dependency
High
CVE-2019-16760
was published
for
cargo
(Rust)
May 24, 2022
WP Crontrol vulnerable to possible RCE when combined with a pre-condition
High
CVE-2024-28850
was published
for
johnbillion/wp-crontrol
(Composer)
Mar 25, 2024
RFD attack via Content-Disposition header sourced from request input by Spring MVC or Spring WebFlux Application
High
CVE-2020-5398
was published
for
org.springframework:spring-webflux
(Maven)
Jan 21, 2020
Artifact Hub has Incorrect Docker Hub registry check
Moderate
CVE-2023-45821
was published
for
github.com/artifacthub/hub
(Go)
Oct 19, 2023
Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function
Moderate
CVE-2023-29401
was published
for
github.com/gin-gonic/gin
(Go)
May 12, 2023
Jenkins Plugin Installation Manager Tool did not verify plugin downloads
Critical
CVE-2020-2320
was published
for
io.jenkins.plugin-management:plugin-management-parent-pom
(Maven)
May 24, 2022
Eclipse Vorto resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS
High
CVE-2019-10248
was published
for
org.eclipse.vorto:org.eclipse.vorto.core
(Maven)
May 24, 2022
Incorrect Resource Transfer Between Spheres in Grails
High
CVE-2019-12728
was published
for
org.grails:grails-core
(Maven)
May 24, 2022
Cleartext Transmission of Sensitive Information, Inclusion of Functionality from Untrusted Control Sphere , and Download of Code Without Integrity Check in Eclipse hawkBit
High
CVE-2019-10240
was published
for
org.eclipse.hawkbit:hawkbit-autoconfigure
(Maven)
Apr 15, 2019
High severity vulnerability that affects generator-jhipster
High
GHSA-mc84-xr9p-938r
was published
for
generator-jhipster
(npm)
Sep 23, 2019
ProTip!
Advisories are also available from the
GraphQL API