GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
                  
                    
                      
                      All reviewed
                    
                    
                      5,000+
                    
                  
                  
                    
                      
                      Composer
                    
                    
                      4,950
                    
                  
                  
                    
                      
                      Erlang
                    
                    
                      39
                    
                  
                  
                    
                      
                      GitHub Actions
                    
                    
                      38
                    
                  
                  
                    
                      
                      Go
                    
                    
                      2,603
                    
                  
                  
                    
                      
                      Maven
                    
                    
                      5,000+
                    
                  
                  
                    
                      
                      npm
                    
                    
                      4,250
                    
                  
                  
                    
                      
                      NuGet
                    
                    
                      755
                    
                  
                  
                    
                      
                      pip
                    
                    
                      4,013
                    
                  
                  
                    
                      
                      Pub
                    
                    
                      12
                    
                  
                  
                    
                      
                      RubyGems
                    
                    
                      953
                    
                  
                  
                    
                      
                      Rust
                    
                    
                      1,048
                    
                  
                  
                    
                      
                      Swift
                    
                    
                      45
                    
                  
                  Unreviewed advisories
                  
                    
                      
                      All unreviewed
                    
                    
                      5,000+
                    
                  
            17 advisories
        Filter by severity
        
      
      
    
                    
                      "catalog's registry v2 api exposed on unauthenticated path in Harbor"
                    
                      
  Moderate
                    
                
                      
                        CVE-2020-29662
                      
                      was published
                        for
                        
                          github.com/goharbor/harbor
                        
                        (Go)
                      Feb 12, 2022 
                    
                  
                    
                      Kiali Authentication Bypass vulnerability
                    
                      
  Moderate
                    
                
                      
                        CVE-2021-20278
                      
                      was published
                        for
                        
                          github.com/kiali/kiali
                        
                        (Go)
                      Jun 1, 2021 
                    
                  
                    
                      usememos/memos Improper Authentication vulnerability
                    
                      
  Moderate
                    
                
                      
                        CVE-2022-4799
                      
                      was published
                        for
                        
                          github.com/usememos/memos
                        
                        (Go)
                      Dec 28, 2022 
                    
                  
                    
                      Limited ability to spoof SAML authentication with missing audience verification in Fleet
                    
                      
  Moderate
                    
                
                      
                        CVE-2022-23600
                      
                      was published
                        for
                        
                          github.com/fleetdm/fleet/v4
                        
                        (Go)
                      Feb 7, 2022 
                    
                  
                    
                      Dapr API token authentication bypass in HTTP endpoints
                    
                      
  Moderate
                    
                
                      
                        CVE-2023-37918
                      
                      was published
                        for
                        
                          github.com/dapr/dapr
                        
                        (Go)
                      Jul 21, 2023 
                    
                  
                    
                      Prometheus Exporter-Toolkit is vulnerable to authentication bypass
                    
                      
  Moderate
                    
                
                      
                        CVE-2022-46146
                      
                      was published
                        for
                        
                          github.com/prometheus/exporter-toolkit
                        
                        (Go)
                      Dec 2, 2022 
                    
                  
                    
                      Etcd Gateway TLS authentication only applies to endpoints detected in DNS SRV records
                    
                      
  Moderate
                    
                
                      
                        CVE-2020-15136
                      
                      was published
                        for
                        
                          go.etcd.io/etcd
                        
                        (Go)
                      Jan 31, 2024 
                    
                  
                    
                      Unauthenticated Access to sensitive settings in Argo CD
                    
                      
  Moderate
                    
                
                      
                        CVE-2024-37152
                      
                      was published
                        for
                        
                          github.com/argoproj/argo-cd/v2/server
                        
                        (Go)
                      Jun 6, 2024 
                    
                  
                    
                      PocketBase performs password auth and OAuth2 unverified email linking
                    
                      
  Moderate
                    
                
                      
                        CVE-2024-38351
                      
                      was published
                        for
                        
                          github.com/pocketbase/pocketbase
                        
                        (Go)
                      Jun 18, 2024 
                    
                  
                    
                      Grafana when using email as a username can block other users from signing in
                    
                      
  Moderate
                    
                
                      
                        CVE-2022-39229
                      
                      was published
                        for
                        
                          github.com/grafana/grafana
                        
                        (Go)
                      May 14, 2024 
                    
                  
                    
                      SFTPGo has insufficient access control for password reset
                    
                      
  Moderate
                    
                
                      
                        CVE-2024-37897
                      
                      was published
                        for
                        
                          github.com/drakkan/sftpgo/v2
                        
                        (Go)
                      Jun 20, 2024 
                    
                  
                    
                      Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials
                    
                      
  Moderate
                    
                
                      
                        CVE-2024-45042
                      
                      was published
                        for
                        
                          github.com/ory/kratos
                        
                        (Go)
                      Sep 26, 2024 
                    
                  
                    
                      Re-creating a deleted user in lakeFS will re-enable previous user credentials that existed prior to its deletion
                    
                      
  Moderate
                    
                
                      
                        CVE-2024-43784
                      
                      was published
                        for
                        
                          github.com/treeverse/lakefs
                        
                        (Go)
                      Nov 26, 2024 
                    
                  
                    
                      Navidrome allows an authentication bypass in Subsonic API with non-existent username
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-27112
                      
                      was published
                        for
                        
                          github.com/navidrome/navidrome
                        
                        (Go)
                      Feb 25, 2025 
                    
                  
                    
                      MinIO allows an SFTP authentication bypass due to improperly trusted SSH key
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-27414
                      
                      was published
                        for
                        
                          github.com/minio/minio
                        
                        (Go)
                      Mar 3, 2025 
                    
                  
                    
                      matrix-media-repo (MMR) allows unauthenticated writes to the media repository, which may allow planting of problematic content
                    
                      
  Moderate
                    
                
                      
                        CVE-2024-36402
                      
                      was published
                        for
                        
                          github.com/t2bot/matrix-media-repo
                        
                        (Go)
                      Jan 16, 2025 
                    
                  
                    
                      Dragonfly's manager makes requests to external endpoints with disabled TLS authentication
                    
                      
  Moderate
                    
                
                      
                        CVE-2025-59347
                      
                      was published
                        for
                        
                          d7y.io/dragonfly/v2
                        
                        (Go)
                      Sep 17, 2025 
                    
                  
        
        ProTip!
        Advisories are also available from the 
        GraphQL API