Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,655
Maven
5,000+
npm
4,284
NuGet
760
pip
4,067
Pub
12
RubyGems
957
Rust
1,057
Swift
45
Unreviewed advisories
All unreviewed
5,000+

35 advisories

Loading
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change High
GHSA-fjh6-8679-9pch was published for flowise-ui (npm) Nov 14, 2025
mbiesiad
Credited to mbiesiad
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials) High
GHSA-x39m-3393-3qp4 was published for flowise-ui (npm) Nov 14, 2025
mbiesiad
Credited to mbiesiad
Dragonfly doesn't have authentication enabled for some Manager’s endpoints High
CVE-2025-59345 was published for d7y.io/dragonfly/v2 (Go) Sep 17, 2025
gaius-qi
Credited to gaius-qi
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function High
CVE-2025-59358 was published for github.com/chaos-mesh/chaos-mesh (Go) Sep 15, 2025
Mattermost Confluence Plugin is Missing Authentication for Critical Function High
CVE-2025-44004 was published for github.com/mattermost/mattermost-plugin-confluence (Go) Aug 11, 2025
Mattermost Fails to Enforce MFA on Plugin Endpoints High
CVE-2025-25068 was published for github.com/mattermost/mattermost/server/v8 (Go) Mar 21, 2025
Open WebUI lacks authentication for the `api/v1/utils/pdf` endpoint High
CVE-2024-8053 was published for open-webui (pip) Mar 20, 2025
Duplicate Advisory: Mautic has insufficient authentication in upgrade flow High
GHSA-5hc5-fxr9-5frc was published for mautic/core (Composer) Sep 19, 2024 withdrawn
Withdrawn Advisory: Lunary Improper Authentication vulnerability High
CVE-2024-6582 was published for lunary (npm) Sep 13, 2024 withdrawn
vincelwt
Credited to vincelwt
Chisel's AUTH environment variable not respected in server entrypoint High
CVE-2024-43798 was published for github.com/jpillora/chisel (Go) Aug 27, 2024
lleyton korewaChino
jpillora
Credited to lleyton, korewaChino, and jpillora
Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider High
CVE-2023-22650 was published for github.com/rancher/rancher (Go) Jun 17, 2024
STRIMZI incorrect access control High
CVE-2024-36543 was published for io.strimzi:strimzi (Maven) Jun 17, 2024
Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint High
CVE-2022-34321 was published for org.apache.pulsar:pulsar-proxy (Maven) Mar 12, 2024
oscerd
Credited to oscerd
RPyC's missing security check results in code execution when using numpy.array on the server-side. High
CVE-2024-27758 was published for rpyc (pip) Mar 6, 2024
renbou comrumino
Credited to renbou and comrumino
Answer Missing Authentication for Critical Function High
CVE-2023-4815 was published for github.com/answerdev/answer (Go) Sep 7, 2023
Mage-ai missing user authentication High
CVE-2023-31143 was published for mage-ai (pip) May 5, 2023
Apollo has potential access control security issue in eureka High
CVE-2023-25570 was published for com.ctrip.framework.apollo:apollo (Maven) Feb 22, 2023
Broken Access Control in 3rd party TYPO3 extension "femanager" High
CVE-2023-25013 was published for in2code/femanager (Composer) Feb 2, 2023
ohader
Credited to ohader
Broken Access Control in 3rd party TYPO3 extension "femanager" High
CVE-2023-25014 was published for in2code/femanager (Composer) Feb 2, 2023
ohader
Credited to ohader
Dapr Dashboard vulnerable to Incorrect Access Control High
CVE-2022-38817 was published for github.com/dapr/dashboard (Go) Oct 4, 2022
Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization. High
CVE-2021-34538 was published for org.apache.hive:hive (Maven) Jul 17, 2022
GramAddict bot uses dependency with reverse tcp backdoor High
CVE-2020-36245 was published for GramAddict (pip) May 24, 2022
Microweber Discloses Sensitive Information High
CVE-2020-13405 was published for microweber/microweber (Composer) May 24, 2022
TeamPass files are available without authentication High
CVE-2020-12478 was published for nilsteampassnet/teampass (Composer) May 24, 2022
Openstack Aodh can be used to launder Keystone trusts High
CVE-2017-12440 was published for aodh (pip) May 13, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database