advisory-database
advisory-database copied to clipboard
github
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Hi Team, **Repro steps:** 1. Visit for example https://github.com/github/advisory-database/security/advisories/new (for selected GH repo click 'Report a vulnerability' button from Security section/tab) 2. Scroll down to "Weaknesses Common weakness enumerator (CWE)"...
This CVE refers to the following line of code as having a vulnerability: https://github.com/PythonCharmers/python-future/blob/2d56f83adab5a0957cfc5abbe62db1e2d1912b61/src/future/standard_library/__init__.py#L491 That line of code is `import test`; in the reporters' words: > When loading the future...
- Follow up of #6099 Consider the following advisories: 1. chalk-template https://github.com/advisories/GHSA-3jjr-pvq7-4jq5 2. supports-hyperlinks https://github.com/advisories/GHSA-hggr-35mp-qcxg 3. has-ansi https://github.com/advisories/GHSA-jff9-gjh4-j359 4. slice-ansi https://github.com/advisories/GHSA-9xjj-cmqc-578p 5. wrap-ansi https://github.com/advisories/GHSA-2rv4-jp6r-xgq7 6. ansi-regex https://github.com/advisories/GHSA-jvhh-2m83-6w29 7. supports-color https://github.com/advisories/GHSA-pj3j-3w3f-j752...
Hello, I noticed that the advisory [GHSA-9mvj-f7w8-pvh2](https://github.com/advisories/GHSA-9mvj-f7w8-pvh2) is still listed in the GitHub Advisory Database, but the corresponding CVE entry in NVD has been marked as rejected. Reference: [NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-6484)...
The Avidsory https://github.com/advisories/GHSA-8mgj-vmr8-frr6 is a wildcard while npm has removed the malicious dependency v4.4.2 https://github.com/debug-js/debug/issues/1005 https://github.com/chalk/chalk/issues/656 Unless I am missing something, previous versions seem unaffected. Please update to unlock development...
Hello team, I noticed that the GitHub advisory for GHSA-x8rq-rc7x-5fg5 lists the vulnerable package as uppy, whereas the actual vulnerable package appears to be @uppy/component. This vulnerability is a bypass...
I am the author/maintainer of libffi.. This report against libffi-dev in npm is problematic: https://github.com/advisories/GHSA-2p54-33x3-2mcf The advisory GHSA-2p54-33x3-2mcf is titled “Malware in libffi-dev” and lists the package as npm: libffi-dev....
Advisory GHSA-hcg3-q754-cr77 lists golang.org/x/crypto affected, while in fact affected component is https://pkg.go.dev/golang.org/x/crypto/ssh as correctly reported at https://pkg.go.dev/vuln/GO-2025-3487 So advisory should be updated to correctly report affected package
Hello team, I noticed that [GHSA-9p2w-rmx4-9mw7](https://github.com/advisories/GHSA-9p2w-rmx4-9mw7) appears to be identical to [GHSA-49vv-6q7q-w5cf](https://github.com/advisories/GHSA-49vv-6q7q-w5cf). The key difference is that [GHSA-49vv-6q7q-w5cf](https://github.com/advisories/GHSA-49vv-6q7q-w5cf) has been assigned a CVE identifier [CVE-2021-41275] Could you please clarify the...
I have noticed an issue with the details provided in the advisory [GHSA-4pg4-qvpc-4q3h](https://github.com/advisories/GHSA-4pg4-qvpc-4q3h) regarding the fixed version. Look, this pr to fix vulnerability https://github.com/expressjs/multer/pull/1177 is present in both v1.4.5-lts.2 and...
