GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,274
Erlang
31
GitHub Actions
21
Go
2,056
Maven
5,000+
npm
3,740
NuGet
668
pip
3,419
Pub
12
RubyGems
891
Rust
872
Swift
36
Unreviewed advisories
All unreviewed
5,000+
26 advisories
Filter by severity
Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations
Low
CVE-2024-51744
was published
for
github.com/golang-jwt/jwt/v4
(Go)
Nov 4, 2024
SSOReady has an XML Signature Bypass via differential XML parsing
Critical
CVE-2024-47832
was published
for
github.com/ssoready/ssoready
(Go)
Oct 11, 2024
Grafana Plugin signature bypass
High
CVE-2022-31123
was published
for
github.com/grafana/grafana
(Go)
May 14, 2024
Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.
Moderate
CVE-2023-47122
was published
for
github.com/sigstore/gitsign
(Go)
Nov 14, 2023
free5GC udm vulnerable to Invalid Curve Attack
High
CVE-2023-46324
was published
for
github.com/free5gc/udm
(Go)
Oct 23, 2023
notation-go's verification bypass can cause users to verify the wrong artifact
High
CVE-2023-33959
was published
for
github.com/notaryproject/notation-go
(Go)
Jun 6, 2023
Signature validation bypass in github.com/moov-io/signedxml
Critical
CVE-2023-34205
was published
for
github.com/moov-io/signedxml
(Go)
May 30, 2023
go-saml's XML Digital Signatures use SHA-1
Moderate
CVE-2020-36563
was published
for
github.com/RobotsAndPencils/go-saml
(Go)
Dec 28, 2022
go-resolver's DNSSEC validation not performed correctly
High
CVE-2022-3347
was published
for
github.com/peterzen/goresolver
(Go)
Dec 28, 2022
SIF's Digital Signature Hash Algorithms Not Validated
Moderate
CVE-2022-39237
was published
for
github.com/sylabs/sif/v2
(Go)
Oct 6, 2022
Cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature
Moderate
CVE-2022-36056
was published
for
github.com/sigstore/cosign
(Go)
Sep 16, 2022
Dendrite signature checks not applied to some retrieved missing events
High
CVE-2022-39200
was published
for
github.com/matrix-org/dendrite
(Go)
Sep 15, 2022
cosign's `cosign verify-attestaton --type` can report a false positive if any attestation exists
High
CVE-2022-35929
was published
for
github.com/sigstore/cosign
(Go)
Aug 10, 2022
PolicyController before 0.2.1 may bypass attestation verification
High
CVE-2022-35930
was published
for
github.com/sigstore/policy-controller
(Go)
Aug 10, 2022
Signature forgery in Biscuit
Critical
CVE-2022-31053
was published
for
biscuit-auth
(Go)
Jun 17, 2022
Golang/x/crypto message forgery vulnerability
Moderate
CVE-2019-11841
was published
for
golang.org/x/crypto
(Go)
May 24, 2022
Docker Notary Signature Algorithm Not Matched to Key vulnerability
High
CVE-2015-9258
was published
for
github.com/docker/notary
(Go)
May 14, 2022
Execution Control List (ECL) Is Insecure in Singularity
High
CVE-2020-13845
was published
for
github.com/sylabs/singularity
(Go)
Dec 20, 2021
Signature verification failure in Tendermint
Moderate
GHSA-f3w5-v9xx-rp8p
was published
for
github.com/tendermint/tendermint
(Go)
Dec 20, 2021
Denial of Service in TenderMint
Moderate
CVE-2020-15091
was published
for
github.com/tendermint/tendermint
(Go)
Dec 20, 2021
Critical security issues in XML encoding in github.com/dexidp/dex
Critical
CVE-2020-26290
was published
for
github.com/dexidp/dex
(Go)
Dec 20, 2021
Signature Validation Bypass
Critical
GHSA-5684-g483-2249
was published
for
github.com/russellhaering/gosaml2
(Go)
May 24, 2021
Signature Validation Bypass
Critical
GHSA-rrfw-hg9m-j47h
was published
for
github.com/russellhaering/goxmldsig
(Go)
May 24, 2021
github.com/russellhaering/goxmldsig vulnerable to Signature Validation Bypass
Moderate
CVE-2020-15216
was published
for
github.com/russellhaering/goxmldsig
(Go)
May 24, 2021
BLS Signature "Malleability"
Moderate
CVE-2021-21405
was published
for
github.com/filecoin-project/lotus
(Go)
May 21, 2021
ProTip!
Advisories are also available from the
GraphQL API