Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,486
Erlang
33
GitHub Actions
24
Go
2,211
Maven
5,000+
npm
3,868
NuGet
696
pip
3,642
Pub
12
RubyGems
913
Rust
920
Swift
38
Unreviewed advisories
All unreviewed
5,000+

257 advisories

Loading
Flowise allows arbitrary file write to RCE Critical
GHSA-8vvx-qvq9-5948 was published for flowise (npm) Mar 14, 2025
pyozzi-toss
graphql allows remote code execution when loading a crafted GraphQL schema Critical
CVE-2025-27407 was published for graphql (RubyGems) Mar 12, 2025
yvvdwf rmosolgo
joernchen adarshan-gl
Mautic allows Remote Code Execution and File Deletion in Asset Uploads Critical
CVE-2024-47051 was published for mautic/core (Composer) Feb 26, 2025
mallo-m patrykgruszka
Withdrawn Advisory: Command injection in Ray Critical
CVE-2024-57000 was published for ray (pip) Feb 12, 2025 withdrawn
PandasAI interactive prompt function Remote Code Execution (RCE) Critical
CVE-2024-12366 was published for pandasai (pip) Feb 11, 2025
Mongoose search injection vulnerability Critical
CVE-2025-23061 was published for mongoose (npm) Jan 15, 2025
skrtheboss
Rasa Allows Remote Code Execution via Remote Model Loading Critical
CVE-2024-49375 was published for rasa (pip) Jan 14, 2025
Apache MINA Deserialization RCE Vulnerability Critical
CVE-2024-52046 was published for org.apache.mina:mina-core (Maven) Dec 25, 2024
Malayke
Gogs allows argument injection during the previewing of changes Critical
CVE-2024-39932 was published for gogs.io/gogs (Go) Dec 23, 2024
swapgs
Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled Critical
CVE-2024-56145 was published for craftcms/cms (Composer) Dec 18, 2024
akues-an
Angular Expressions - Remote Code Execution when using locals Critical
CVE-2024-54152 was published for angular-expressions (npm) Dec 10, 2024
JorianWoltjer
hull.js Code Injection Vulnerability Critical
GHSA-q849-wxrc-vqrp was published for hull.js (npm) Dec 2, 2024
mcoimbra filipeom
Grafana Command Injection And Local File Inclusion Via Sql Expressions Critical
CVE-2024-9264 was published for github.com/grafana/grafana (Go) Oct 18, 2024
Malayke
JSONPath Plus Remote Code Execution (RCE) Vulnerability Critical
CVE-2024-21534 was published for jsonpath-plus (Maven) Oct 11, 2024
jdong10 RisingZero
pyload-ng vulnerable to RCE with js2py sandbox escape Critical
CVE-2024-39205 was published for pyload-ng (pip) Sep 9, 2024
Marven11
LlamaIndex includes an exec call for `import {cls_name}` Critical
CVE-2024-45201 was published for llama-index-core (pip) Aug 22, 2024
Apache Dolphinscheduler Code Injection vulnerability Critical
CVE-2024-43202 was published for org.apache.dolphinscheduler:dolphinscheduler-task-api (Maven) Aug 20, 2024
Nuxt vulnerable to remote code execution via the browser when running the test locally Critical
CVE-2024-34344 was published for nuxt (npm) Aug 5, 2024
Ry0taK
XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet Critical
CVE-2024-37901 was published for org.xwiki.platform:xwiki-platform-search-ui (Maven) Jul 31, 2024
Remote code execution in Spring Cloud Data Flow Critical
CVE-2024-37084 was published for org.springframework.cloud:spring-cloud-skipper (Maven) Jul 25, 2024
langchain-experimental vulnerable to Arbitrary Code Execution Critical
CVE-2024-21513 was published for langchain-experimental (pip) Jul 15, 2024
Duplicate Advisory: Gogs allows argument injection during the previewing of changes Critical
GHSA-hf29-9hfh-w63j was published for github.com/gogs/gogs (Go) Jul 4, 2024 withdrawn
Gradio was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py Critical
CVE-2024-39236 was published for Gradio (pip) Jul 1, 2024
kmulka-bloomberg
Remote Code Execution (RCE) vulnerability in geoserver Critical
CVE-2024-36401 was published for org.geoserver.web:gs-web-app (Maven) Jul 1, 2024
sikeoka jodygarnett
aaime
jsonic was discovered to contain a prototype pollution via the function empty. Critical
CVE-2024-38993 was published for jsonic (npm) Jul 1, 2024 withdrawn
wzrdtales
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database