Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

159 advisories

Loading
Liferay Portal and DXP does not properly expire sessions Moderate
CVE-2025-43819 was published for com.liferay:com.liferay.saml.impl (Maven) Sep 24, 2025
cai0duque Credited to cai0duque
Fides' Admin UI User Password Change Does Not Invalidate Current Session Low
CVE-2025-57766 was published for ethyca-fides (pip) Sep 8, 2025
thabofletcher Credited to thabofletcher, adamsachs, and daveqnet adamsachs adamsachs
daveqnet daveqnet
Coder vulnerable to privilege escalation could lead to a cross workspace compromise High
CVE-2025-58437 was published for github.com/coder/coder/v2 (Go) Sep 5, 2025
johnstcn Credited to johnstcn
Weblate has a long session expiry when verifying second factor Low
CVE-2025-58352 was published for Weblate (pip) Sep 4, 2025
nijel Credited to nijel
Payload does not invalidate JWTs after log out Moderate
CVE-2025-4643 was published for @payloadcms/graphql (npm) Aug 29, 2025
File Browser’s insecure JWT handling can lead to session replay attacks after logout High
CVE-2025-53826 was published for github.com/filebrowser/filebrowser (Go) Jul 16, 2025
maen08 Credited to maen08 and hacdias hacdias hacdias
ash_authentication_phoenix has Insufficient Session Expiration Low
CVE-2025-4754 was published for ash_authentication_phoenix (Erlang) Jun 17, 2025
jimsynz Credited to jimsynz, zachdaniel, mbuhot, and maennchen zachdaniel zachdaniel
mbuhot mbuhot maennchen maennchen
Rack session gets restored after deletion Moderate
CVE-2025-46336 was published for rack-session (RubyGems) May 8, 2025
stengineering0 Credited to stengineering0, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack session gets restored after deletion Moderate
CVE-2025-32441 was published for rack (RubyGems) May 8, 2025
stengineering0 Credited to stengineering0, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
ZITADEL Allows IdP Intent Token Reuse High
CVE-2025-46815 was published for github.com/zitadel/zitadel (Go) May 6, 2025
cfx Credited to cfx, livio-a, and fforootd livio-a livio-a
fforootd fforootd
Auth0 NextJS SDK v4 Missing Session Invalidation Moderate
CVE-2025-46344 was published for @auth0/nextjs-auth0 (npm) Apr 29, 2025
Apache Airflow Fab Provider Insufficient Session Expiration vulnerability Low
CVE-2024-45033 was published for apache-airflow-providers-fab (pip) Jan 8, 2025
TShock Security Escalation Exploit High
GHSA-hvm9-wc8j-mgrc was published for TShock (NuGet) Dec 18, 2024
sgkoishi Credited to sgkoishi and THEXN THEXN THEXN
Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin High
CVE-2024-52553 was published for org.jenkins-ci.plugins:oic-auth (Maven) Nov 13, 2024
Umbraco CMS logout page displayed before session expiration Moderate
CVE-2024-48926 was published for Umbraco.CMS (NuGet) Oct 22, 2024
TRexStark Credited to TRexStark
Mage AI incorrectly gives privileges to users with deleted accounts Moderate
CVE-2024-45187 was published for mage-ai (pip) Aug 23, 2024
Apache Airflow Providers FAB Insufficient Session Expiration vulnerability Low
CVE-2024-42447 was published for apache-airflow-providers-fab (pip) Aug 5, 2024
Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider High
CVE-2023-22650 was published for github.com/rancher/rancher (Go) Jun 17, 2024
zenml-io/zenml does not expire the session after password reset Low
CVE-2024-4680 was published for zenml (pip) Jun 8, 2024
zfr authentication adapter did not verify validity of tokens High
GHSA-rcm4-jv5g-wccm was published for zfr/zfr-oauth2-server-module (Composer) Jun 7, 2024
silverstripe/framework's pre-existing alc_enc cookies log users in if remember me is disabled Low
GHSA-5r8w-66hq-rc39 was published for silverstripe/framework (Composer) May 27, 2024
@fastify/session reuses destroyed session cookie High
CVE-2024-35220 was published for @fastify/session (npm) May 21, 2024
kaanoz1 Credited to kaanoz1
Reportico Web fails to invalidate cookies upon logout Moderate
CVE-2024-31556 was published for reportico-web/reportico (Composer) May 14, 2024
Directus Lacks Session Tokens Invalidation Moderate
CVE-2024-34709 was published for directus (npm) May 13, 2024
Keycloak vulnerable to session hijacking via re-authentication Moderate
CVE-2023-6787 was published for org.keycloak:keycloak-services (Maven) Apr 17, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database