Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,077
Erlang
29
GitHub Actions
19
Go
1,903
Maven
5,000+
npm
3,632
NuGet
638
pip
3,249
Pub
10
RubyGems
864
Rust
818
Swift
35
Unreviewed advisories
All unreviewed
5,000+

960 advisories

Loading
node-latex-pdf is susceptible to command injection Critical
CVE-2020-28433 was published for node-latex-pdf (npm) Aug 3, 2022
gitblame susceptible to command injection Critical
CVE-2020-28434 was published for gitblame (npm) Aug 3, 2022
get-npm-package-version Command Injection vulnerability Critical
CVE-2020-7795 was published for get-npm-package-version (npm) Aug 3, 2022
curljs Command Injection vulnerability Critical
CVE-2020-28425 was published for curljs (npm) Aug 3, 2022
heroku-env susceptible to command injection Critical
CVE-2020-28437 was published for heroku-env (npm) Aug 3, 2022
image-tiler susceptible to command injection Critical
CVE-2020-28451 was published for image-tiler (npm) Aug 3, 2022
monorepo-build Command Injection vulnerability Critical
CVE-2020-28423 was published for monorepo-build (npm) Aug 3, 2022
NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails Critical
CVE-2022-35924 was published for next-auth (npm) Aug 2, 2022
aried3r feross
google-cloudstorage-commands Command Injection vulnerability Critical
CVE-2020-28436 was published for google-cloudstorage-commands (npm) Jul 26, 2022
deferred-exec Command Injection vulnerability Critical
CVE-2020-28438 was published for deferred-exec (npm) Jul 26, 2022
conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2 Critical
CVE-2020-28441 was published for conf-cfg-ini (npm) Jul 26, 2022
ffmpeg-sdk vulnerable to OS Command Injection Critical
CVE-2020-28435 was published for ffmpeg-sdk (npm) Jul 26, 2022
ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse` Critical
CVE-2020-28462 was published for ion-parser (npm) Jul 26, 2022
js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse` Critical
CVE-2020-28461 was published for js-ini (npm) Jul 26, 2022
otp-generator before v3.0.0 insecurely generates random one-time passwords Critical
CVE-2021-23451 was published for otp-generator (npm) Jul 26, 2022
node-import `params` argument can be controlled by users without any sanitization Critical
CVE-2020-7678 was published for node-import (npm) Jul 26, 2022
sonar-wrapper Command Injection vulnerability Critical
CVE-2020-28443 was published for sonar-wrapper (npm) Jul 26, 2022
xopen is vulnerable to OS Command Injection in Exported Function xopen(filepath) Critical
CVE-2020-28447 was published for xopen (npm) Jul 26, 2022
ntesseract vulnerable to Command Injection Critical
CVE-2020-28446 was published for ntesseract (npm) Jul 26, 2022
set-deep-prop Prototype Pollution Critical
CVE-2021-23373 was published for set-deep-prop (npm) Jul 26, 2022
Joplin is vulnerable to arbitrary code execution Critical
CVE-2022-35131 was published for joplin (npm) Jul 26, 2022
convert-svg-core vulnerable to remote code injection Critical
CVE-2022-25759 was published for convert-svg-core (npm) Jul 23, 2022
Properties-Reader before v2.2.0 vulnerable to prototype pollution Critical
CVE-2020-28471 was published for properties-reader (npm) Jul 19, 2022
thenify before 3.3.1 made use of unsafe calls to `eval`. Critical
CVE-2020-7677 was published for org.webjars.npm:thenify (Maven) Jul 18, 2022
Shescape vulnerable to insufficient escaping of whitespace Critical
CVE-2022-31180 was published for shescape (npm) Jul 15, 2022
kurt-r2c
ProTip! Advisories are also available from the GraphQL API