Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

10 advisories

Loading
Trivy Action has a script injection via sourced env file in composite action Moderate
CVE-2026-26189 was published for aquasecurity/trivy-action (GitHub Actions) Feb 18, 2026
1seal DmitriyLewen
simar7
Credited to 1seal, DmitriyLewen, and simar7
Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier) Moderate
CVE-2026-25598 was published for step-security/harden-runner (GitHub Actions) Feb 9, 2026
devanshbatham
Credited to devanshbatham
lychee link checking action affected by arbitrary code injection in composite action Moderate
CVE-2024-48908 was published for lycheeverse/lychee-action (GitHub Actions) Aug 28, 2025
mondeja
Credited to mondeja
Bullfrog's DNS over TCP bypasses domain filtering Moderate
CVE-2025-47775 was published for bullfrogsec/bullfrog (GitHub Actions) May 15, 2025
vin01
Credited to vin01
OZI-Project/ozi-publish Code Injection vulnerability Moderate
CVE-2025-47271 was published for OZI-Project/publish (GitHub Actions) May 12, 2025
Harden-Runner allows evasion of 'disable-sudo' policy Moderate
CVE-2025-32955 was published for step-security/harden-runner (GitHub Actions) Apr 22, 2025
loresuso darryk10
Credited to loresuso and darryk10
fish-shop/syntax-check Improper Neutralization of Delimiters Moderate
CVE-2024-42482 was published for fish-shop/syntax-check (GitHub Actions) Aug 12, 2024
marcransome
Credited to marcransome
github-slug-action use of `set-env` Runner commands which are processed via stdout Moderate
GHSA-7f32-hm4h-w77q was published for rlespinasse/github-slug-action (GitHub Actions) Feb 3, 2024
hsblhsn rlespinasse
Credited to hsblhsn and rlespinasse
Actions expression injection in `filter-test-configs` (`GHSL-2023-181`) Moderate
GHSA-hw6r-g8gj-2987 was published for https://github.com/pytorch/pytorch/.github/actions/filter-test-configs (GitHub Actions) Aug 30, 2023
jorgectf
Credited to jorgectf
ghas-to-csv vulnerable to Improper Neutralization of Formula Elements in a CSV File Moderate
CVE-2022-39217 was published for some-natalie/ghas-to-csv (GitHub Actions) Sep 16, 2022
aegilops some-natalie
Credited to aegilops and some-natalie
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database