GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
                  
                    
                      
                      All reviewed
                    
                    
                      5,000+
                    
                  
                  
                    
                      
                      Composer
                    
                    
                      4,950
                    
                  
                  
                    
                      
                      Erlang
                    
                    
                      39
                    
                  
                  
                    
                      
                      GitHub Actions
                    
                    
                      38
                    
                  
                  
                    
                      
                      Go
                    
                    
                      2,603
                    
                  
                  
                    
                      
                      Maven
                    
                    
                      5,000+
                    
                  
                  
                    
                      
                      npm
                    
                    
                      4,250
                    
                  
                  
                    
                      
                      NuGet
                    
                    
                      755
                    
                  
                  
                    
                      
                      pip
                    
                    
                      4,013
                    
                  
                  
                    
                      
                      Pub
                    
                    
                      12
                    
                  
                  
                    
                      
                      RubyGems
                    
                    
                      953
                    
                  
                  
                    
                      
                      Rust
                    
                    
                      1,048
                    
                  
                  
                    
                      
                      Swift
                    
                    
                      45
                    
                  
                  Unreviewed advisories
                  
                    
                      
                      All unreviewed
                    
                    
                      5,000+
                    
                  
            1,947 advisories
        Filter by severity
        
      
      
    
                    
                      High severity vulnerability that affects jquery-ui
                    
                      
  High
                    
                
                      
                        GHSA-g8q2-24jh-5hpc
                      
                      was published
                        for
                        
                          jQuery.UI.Combined
                        
                        (RubyGems)
                      Jul 27, 2018 
                        •
                        
                          withdrawn
                    
                  
                    
                      Spark allows remote attackers to read arbitrary files via a .. (dot dot) in the URI
                    
                      
  High
                    
                
                      
                        CVE-2016-9177
                      
                      was published
                        for
                        
                          com.sparkjava:spark-core
                        
                        (Maven)
                      Oct 4, 2018 
                    
                  
                    
                      Pivotal Spring Framework Paths provided to the ResourceServlet were not properly sanitized
                    
                      
  High
                    
                
                      
                        CVE-2016-9878
                      
                      was published
                        for
                        
                          org.springframework:spring-webmvc
                        
                        (Maven)
                      Oct 4, 2018 
                    
                  
                    
                      Dom4j contains a XML Injection vulnerability
                    
                      
  High
                    
                
                      
                        CVE-2018-1000632
                      
                      was published
                        for
                        
                          dom4j:dom4j
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Access and integrity issue within Eclipse Jetty
                    
                      
  High
                    
                
                      
                        CVE-2018-12538
                      
                      was published
                        for
                        
                          org.eclipse.jetty:jetty-server
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Bouncy Castle has a flaw in the Low-level interface to RSA key pair generator
                    
                      
  High
                    
                
                      
                        CVE-2018-1000180
                      
                      was published
                        for
                        
                          org.bouncycastle:bcprov-jdk14
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Apache Struts REST Plugin can potentially allow a DoS attack
                    
                      
  High
                    
                
                      
                        CVE-2018-1327
                      
                      was published
                        for
                        
                          org.apache.struts:struts2-rest-plugin
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Spring AOP functionality (Struts) vulnerable to DoS attack
                    
                      
  High
                    
                
                      
                        CVE-2017-9787
                      
                      was published
                        for
                        
                          org.apache.struts:struts2-core
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      The REST Plugin in Apache Struts is using an outdated XStream library
                    
                      
  High
                    
                
                      
                        CVE-2017-9793
                      
                      was published
                        for
                        
                          org.apache.struts:struts2-rest-plugin
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used
                    
                      
  High
                    
                
                      
                        CVE-2017-9804
                      
                      was published
                        for
                        
                          org.apache.struts:struts2-core
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering
                    
                      
  High
                    
                
                      
                        CVE-2017-9805
                      
                      was published
                        for
                        
                          org.apache.struts:struts2-rest-plugin
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Denial of service vulnerability exists when .NET and .NET Core improperly process XML documents
                    
                      
  High
                    
                
                      
                        CVE-2018-8030
                      
                      was published
                        for
                        
                          org.apache.qpid:apache-qpid-broker-j
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Apache Ignite communicates to an external PHP server where sensitive information is sent
                    
                      
  High
                    
                
                      
                        CVE-2017-7686
                      
                      was published
                        for
                        
                          org.apache.ignite:ignite-core
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Apache Camel can allow remote attackers to execute arbitrary commands
                    
                      
  High
                    
                
                      
                        CVE-2015-5348
                      
                      was published
                        for
                        
                          org.apache.camel:camel-ahc
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
                    
                      
  High
                    
                
                      
                        CVE-2017-5643
                      
                      was published
                        for
                        
                          org.apache.camel:camel-core
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Apache Camel's XSLT component allows remote attackers to read arbitrary files
                    
                      
  High
                    
                
                      
                        CVE-2014-0002
                      
                      was published
                        for
                        
                          org.apache.camel:camel-core
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Apache Camel's XSLT component allows remote attackers to execute arbitrary Java methods
                    
                      
  High
                    
                
                      
                        CVE-2014-0003
                      
                      was published
                        for
                        
                          org.apache.camel:camel-core
                        
                        (Maven)
                      Oct 16, 2018 
                    
                  
                    
                      Restlet Framework allows remote attackers to access arbitrary files via a crafted REST API HTTP request
                    
                      
  High
                    
                
                      
                        CVE-2017-14949
                      
                      was published
                        for
                        
                          org.restlet.jse:org.restlet
                        
                        (Maven)
                      Oct 17, 2018 
                    
                  
                    
                      Restlet Framework Ja-rs extension is vulnerable to XXE when using SimpleXMLProvider
                    
                      
  High
                    
                
                      
                        CVE-2017-14868
                      
                      was published
                        for
                        
                          org.restlet.jse:org.restlet.ext.jaxrs
                        
                        (Maven)
                      Oct 17, 2018 
                    
                  
                    
                      Improper certificate validation in org.apache.httpcomponents:httpclient
                    
                      
  High
                    
                
                      
                        CVE-2012-6153
                      
                      was published
                        for
                        
                          org.apache.httpcomponents:httpclient
                        
                        (Maven)
                      Oct 17, 2018 
                    
                  
                    
                      Apache Tika is vulnerable to entity expansions which can lead to a denial of service attack
                    
                      
  High
                    
                
                      
                        CVE-2018-11796
                      
                      was published
                        for
                        
                          org.apache.tika:tika-core
                        
                        (Maven)
                      Oct 17, 2018 
                    
                  
                    
                      Command injection in org.apache.tika:tika-core
                    
                      
  High
                    
                
                      
                        CVE-2018-1335
                      
                      was published
                        for
                        
                          org.apache.tika:tika-core
                        
                        (Maven)
                      Oct 17, 2018 
                    
                  
                    
                      Apache Tika does not properly initialize the XML parser or choose handlers
                    
                      
  High
                    
                
                      
                        CVE-2016-4434
                      
                      was published
                        for
                        
                          org.apache.tika:tika-core
                        
                        (Maven)
                      Oct 17, 2018 
                    
                  
                    
                      High severity vulnerability that affects org.apache.tika:tika-core
                    
                      
  High
                    
                
                      
                        CVE-2018-11761
                      
                      was published
                        for
                        
                          org.apache.tika:tika-core
                        
                        (Maven)
                      Oct 17, 2018 
                    
                  
        
        ProTip!
        Advisories are also available from the 
        GraphQL API