Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,750
Erlang
35
GitHub Actions
29
Go
2,323
Maven
5,000+
npm
3,956
NuGet
712
pip
3,739
Pub
12
RubyGems
921
Rust
973
Swift
38
Unreviewed advisories
All unreviewed
5,000+

50 advisories

Loading
Passport-wsfed-saml2 allows SAML Authentication Bypass via Attribute Smuggling High
CVE-2025-46573 was published for passport-wsfed-saml2 (npm) May 6, 2025
kevinroh-okta
Passport-wsfed-saml2 allows SAML Authentication Bypass via Signature Wrapping Critical
CVE-2025-46572 was published for passport-wsfed-saml2 (npm) May 6, 2025
@cloudflare/workers-oauth-provider PKCE bypass via downgrade attack Moderate
CVE-2025-4144 was published for @cloudflare/workers-oauth-provider (npm) May 1, 2025
Duplicate Advisory: @cloudflare/workers-oauth-provider PKCE bypass via downgrade attack Moderate
GHSA-vh4h-fvqf-q9wv was published for @cloudflare/workers-oauth-provider (npm) May 1, 2025 withdrawn
Parse Server has an OAuth login vulnerability Moderate
CVE-2025-30168 was published for parse-server (npm) Mar 21, 2025
tiaod dblythy
mtrezza
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() Moderate
CVE-2022-23540 was published for jsonwebtoken (npm) Dec 22, 2022
Broken Authentication in Atlassian Connect Express High
CVE-2021-26073 was published for atlassian-connect-express (npm) May 24, 2022
Withdrawn Advisory: Lunary Improper Authentication vulnerability High
CVE-2024-6582 was published for lunary (npm) Sep 13, 2024 withdrawn
vincelwt
Ghost's improper authentication allows access to member information and actions Moderate
CVE-2024-43409 was published for @tryghost/portal (npm) Aug 20, 2024
1337Nerd
Matrix JavaScript SDK's key history sharing could share keys to malicious devices High
CVE-2024-47080 was published for matrix-js-sdk (npm) Oct 15, 2024
dkasak
Flowise Authentication Bypass vulnerability High
CVE-2024-8181 was published for flowise (npm) Aug 27, 2024
EverShop vulnerable to improper authorization in GraphQL endpoints High
CVE-2023-46942 was published for @evershop/evershop (npm) Jan 13, 2024
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC Moderate
CVE-2022-23541 was published for jsonwebtoken (npm) Dec 22, 2022
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR) Critical
CVE-2024-22206 was published for @clerk/nextjs (npm) Jan 12, 2024
nikosdouvlis SokratisVidros
colinclerk agis braden-clerk brkalow
botframework-connector vulnerable to Improper Authentication Moderate
CVE-2021-1725 was published for botframework-connector (npm) Mar 8, 2021
Arbitrary remote file read in Wrangler dev server Moderate
CVE-2023-7079 was published for wrangler (npm) Jan 3, 2024
Lekensteyn
Improper Key Verification in ipns High
GHSA-j59f-6m4q-62h6 was published for ipns (npm) May 30, 2019
mprpic
matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs Moderate
CVE-2023-38691 was published for matrix-appservice-bridge (npm) Aug 4, 2023
Unauthorized Access to Private Fields in User Registration API High
CVE-2023-39345 was published for @strapi/plugin-users-permissions (npm) Nov 3, 2023
dogusdeniz innerdvations
derrickmehaffy christiancp100
isolated-vm has vulnerable CachedDataOptions in API Critical
CVE-2022-39266 was published for isolated-vm (npm) Sep 30, 2022
hedgehog80
Improper Access Control in passport-oauth2 Moderate
CVE-2021-41580 was published for passport-oauth2 (npm) Sep 29, 2021
Auto-merging Person Records Compromised High
CVE-2021-32691 was published for @apollosproject/data-connector-rock (npm) Jun 21, 2021
Improper Authentication in react-adal High
CVE-2020-7787 was published for react-adal (npm) Apr 13, 2021
Forced Logout in keycloak-connect Moderate
CVE-2019-10157 was published for keycloak-connect (npm) Jun 13, 2019
Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter High
CVE-2022-24901 was published for parse-server (npm) May 4, 2022
yoshmidev kurt-r2c
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database