Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,239
Erlang
31
GitHub Actions
21
Go
2,007
Maven
5,000+
npm
3,716
NuGet
662
pip
3,388
Pub
11
RubyGems
885
Rust
851
Swift
36
Unreviewed advisories
All unreviewed
5,000+

49 advisories

Loading
sigstore-java has vulnerability with bundle verification Moderate
CVE-2024-53267 was published for dev.sigstore:sigstore-java (Maven) Nov 26, 2024
loosebazooka
Keycloak SAML signature validation flaw Moderate
CVE-2024-8698 was published for org.keycloak:keycloak-saml-core (Maven) Sep 19, 2024
Improper Verification of Cryptographic Signature in ansible Moderate
CVE-2020-14365 was published for ansible (pip) Apr 20, 2021
Python RSA allows attackers to spoof signatures Moderate
CVE-2016-1494 was published for rsa (pip) May 14, 2022
svix vulnerable to Authentication Bypass Moderate
CVE-2024-21491 was published for svix (Rust) Feb 13, 2024
SAML XML Signature wrapping in PySAML2 Moderate
CVE-2021-21238 was published for pysaml2 (pip) Jan 21, 2021
VictorSG
Improper Verification of Cryptographic Signature in PySAML2 Moderate
CVE-2021-21239 was published for pysaml2 (pip) Jan 21, 2021
bawolff
OpenZeppelin Contracts contains Improper Verification of Cryptographic Signature Moderate
CVE-2023-23940 was published for openzeppelin-cairo-contracts (pip) Feb 2, 2023
OpenStack Keystone does not check signature TTL of the EC2 credential auth method Moderate
CVE-2020-12692 was published for keystone (pip) May 24, 2022
Archive spoofing vulnerability in borgbackup Moderate
CVE-2023-36811 was published for borgbackup (pip) Aug 30, 2023
ThomasWaldmann
whatsapp-api-js fails to validate message's signature Moderate
CVE-2024-45607 was published for whatsapp-api-js (npm) Sep 12, 2024
Improper Verification of Cryptographic Signature in aws-encryption-sdk-java Moderate
CVE-2024-23680 was published for com.amazonaws:aws-encryption-sdk-java (Maven) Jan 19, 2024
oscerd
Adyen APIs Library for Python timing attack vulnerability Moderate
GHSA-f3q4-ggfp-jv34 was published for Adyen (pip) Aug 30, 2024
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() Moderate
CVE-2022-23540 was published for jsonwebtoken (npm) Dec 22, 2022
Denial of Service in TenderMint Moderate
CVE-2020-15091 was published for github.com/tendermint/tendermint (Go) Dec 20, 2021
ebuchman melekes
Cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature Moderate
CVE-2022-36056 was published for github.com/sigstore/cosign (Go) Sep 16, 2022
codysoyland asraa
haydentherapper
go-saml's XML Digital Signatures use SHA-1 Moderate
CVE-2020-36563 was published for github.com/RobotsAndPencils/go-saml (Go) Dec 28, 2022
TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController Moderate
CVE-2024-34358 was published for typo3/cms-core (Composer) May 14, 2024
derhansen bnf
bmack
Improper Verification of Cryptographic Signature in org.apache.httpcomponents:httpclient Moderate
CVE-2014-3577 was published for org.apache.httpcomponents:httpclient (Maven) Oct 17, 2018
MarkLee131
AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure Moderate
CVE-2023-42811 was published for aes-gcm (Rust) Sep 22, 2023
nandita-v
yiisoft/yii2-authclient's Oauth2 PKCE implementation is vulnerable Moderate
CVE-2023-50714 was published for yiisoft/yii2-authclient (Composer) Dec 18, 2023
rhertogh
Missing SSH host key validation in Mac Plugin Moderate
CVE-2020-2146 was published for fr.edf.jenkins.plugins:mac (Maven) May 24, 2022
NotMyFault
Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. Moderate
CVE-2023-47122 was published for github.com/sigstore/gitsign (Go) Nov 14, 2023
adityasaky
light-oauth2 missing public key verification Moderate
CVE-2023-31580 was published for com.networknt:light-oauth2 (Maven) Oct 25, 2023
NATS TLS certificate common name validation bypass Moderate
GHSA-wvc4-j7g5-4f79 was published for nats (Rust) Mar 27, 2023
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database