GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
68 advisories
tough cyclic delegation graphs are not detected
Low
GHSA-j8x2-777p-23fc
was published
for
tough
(Rust)
Mar 28, 2025
tough terminating targets role delegations are not respected
Moderate
CVE-2025-2886
was published
for
tough
(Rust)
Mar 28, 2025
tough root metadata version is not checked for sequential versioning
Moderate
CVE-2025-2885
was published
for
tough
(Rust)
Mar 28, 2025
tough timestamp metadata is cached when it fails snapshot rollback check
Moderate
CVE-2025-2888
was published
for
tough
(Rust)
Mar 28, 2025
tough failure to detect delegated target rollback
Moderate
CVE-2025-2887
was published
for
tough
(Rust)
Mar 28, 2025
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
High
CVE-2024-10270
was published
for
org.keycloak:keycloak-services
(Maven)
Nov 25, 2024
Incorrect delegation lookups can make go-tuf download the wrong artifact
High
CVE-2024-47534
was published
for
github.com/theupdateframework/go-tuf/v2
(Go)
Oct 1, 2024
basic-auth-connect's callback uses time unsafe string comparison
High
CVE-2024-47178
was published
for
basic-auth-connect
(npm)
Sep 30, 2024
send vulnerable to template injection that can lead to XSS
Low
CVE-2024-43799
was published
for
send
(npm)
Sep 10, 2024
serve-static vulnerable to template injection that can lead to XSS
Low
CVE-2024-43800
was published
for
serve-static
(npm)
Sep 10, 2024
express vulnerable to XSS via response.redirect()
Low
CVE-2024-43796
was published
for
express
(npm)
Sep 10, 2024
body-parser vulnerable to denial of service when url encoding is enabled
High
CVE-2024-45590
was published
for
body-parser
(npm)
Sep 10, 2024
sigstore-go has an unbounded loop over untrusted input can lead to endless data attack
Low
CVE-2024-45395
was published
for
github.com/sigstore/sigstore-go
(Go)
Sep 4, 2024
Minder affected by denial of service from maliciously configured Git repository
Moderate
CVE-2024-37904
was published
for
github.com/stacklok/minder
(Go)
Jun 18, 2024
Denial of service of Minder Server from maliciously crafted GitHub attestations
Moderate
CVE-2024-35238
was published
for
github.com/stacklok/minder
(Go)
May 28, 2024
Stacklok Minder vulnerable to denial of service from maliciously crafted templates
Moderate
CVE-2024-35194
was published
for
github.com/stacklok/minder
(Go)
May 20, 2024
Denial of service of Minder Server with attacker-controlled REST endpoint
Moderate
CVE-2024-35185
was published
for
github.com/stacklok/minder
(Go)
May 16, 2024
Minder's GitHub Webhook Handler vulnerable to DoS from un-validated requests
High
CVE-2024-34084
was published
for
github.com/stacklok/minder
(Go)
May 7, 2024
Cosign malicious artifacts can cause machine-wide DoS
Moderate
CVE-2024-29903
was published
for
github.com/sigstore/cosign
(Go)
Apr 11, 2024
Cosign malicious attachments can cause system-wide denial of service
Moderate
CVE-2024-29902
was published
for
github.com/sigstore/cosign
(Go)
Apr 11, 2024
@fastify/secure-session: Reuse of destroyed secure session cookie
High
CVE-2024-31999
was published
for
@fastify/secure-session
(npm)
Apr 10, 2024
CubeFS leaks users key in logs
Moderate
CVE-2023-46742
was published
for
github.com/cubefs/cubefs
(Go)
Jan 3, 2024
CubeFS leaks magic secret key when starting Blobstore access service
Moderate
CVE-2023-46741
was published
for
github.com/cubefs/cubefs
(Go)
Jan 3, 2024
Insecure random string generator used for sensitive data
High
CVE-2023-46740
was published
for
github.com/cubefs/cubefs
(Go)
Jan 3, 2024
CubeFS timing attack can leak user passwords
High
CVE-2023-46739
was published
for
github.com/cubefs/cubefs
(Go)
Jan 3, 2024
ProTip!
Advisories are also available from the
GraphQL API