GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
39 advisories
check-spelling workflow vulnerable to token leakage via symlink attack
Critical
CVE-2021-32724
was published
for
check-spelling/check-spelling
(GitHub Actions)
Jul 29, 2022
ghas-to-csv vulnerable to Improper Neutralization of Formula Elements in a CSV File
Moderate
CVE-2022-39217
was published
for
some-natalie/ghas-to-csv
(GitHub Actions)
Sep 16, 2022
Arbitrary command injection in embano1/wip
High
CVE-2023-30623
was published
for
embano1/wip
(GitHub Actions)
Apr 24, 2023
tj-actions/branch-names's Improper Sanitization of Branch Name Leads to Arbitrary Code Injection
Critical
CVE-2023-49291
was published
for
tj-actions/branch-names
(GitHub Actions)
Dec 5, 2023
memory overflow vulnerability in OpenEXR-viewer
Critical
CVE-2023-50245
was published
for
afichet/openexr-viewer
(GitHub Actions)
Dec 12, 2023
tj-actions/changed-files has Potential Actions command injection in output filenames (GHSL-2023-271)
High
CVE-2023-51664
was published
for
tj-actions/changed-files
(GitHub Actions)
Jan 2, 2024
Potential Actions command injection in output filenames (GHSL-2023-275)
High
CVE-2023-52137
was published
for
tj-actions/verify-changed-files
(GitHub Actions)
Jan 2, 2024
Vault GitHub Action did not correctly mask multi-line secrets in output
High
CVE-2021-32074
was published
for
hashicorp/vault-action
(GitHub Actions)
May 24, 2022
fish-shop/syntax-check Improper Neutralization of Delimiters
Moderate
CVE-2024-42482
was published
for
fish-shop/syntax-check
(GitHub Actions)
Aug 12, 2024
GitHub Actions Script Injection in `ultralytics/actions`
High
GHSA-7x29-qqmq-v6qc
was published
for
ultralytics/actions
(GitHub Actions)
Aug 14, 2024
Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`
Low
CVE-2024-52587
was published
for
step-security/harden-runner
(GitHub Actions)
Nov 18, 2024
Artifact poisoning vulnerability in action-download-artifact v5 and earlier
High
GHSA-5xr6-xhww-33m4
was published
for
dawidd6/action-download-artifact
(GitHub Actions)
Nov 25, 2024
@actions/download-artifact has an Arbitrary File Write via artifact extraction
High
GHSA-cxww-7g56-2vh6
was published
for
actions/download-artifact
(GitHub Actions)
Sep 3, 2024
GitHub PAT written to debug artifacts
High
CVE-2025-24362
was published
for
github/codeql-action
(GitHub Actions)
Jan 24, 2025
canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output
High
CVE-2025-31479
was published
for
canonical/get-workflow-version-action
(GitHub Actions)
Apr 2, 2025
Bullfrog's DNS over TCP bypasses domain filtering
Moderate
CVE-2025-47775
was published
for
bullfrogsec/bullfrog
(GitHub Actions)
May 15, 2025
Cromwell GitHub Actions Secrets exfiltration via `Issue_comment`
Critical
GHSA-phf6-hm3h-x8qp
was published
for
broadinstitute/cromwell
(GitHub Actions)
May 28, 2025
buildalon/setup-steamcmd leaked authentication token in job output logs
High
GHSA-mj96-mh85-r574
was published
for
buildalon/setup-steamcmd
(GitHub Actions)
Jul 21, 2025
RageAgainstThePixel/setup-steamcmd leaked authentication token in job output logs
High
GHSA-c5qx-p38x-qf5w
was published
for
RageAgainstThePixel/setup-steamcmd
(GitHub Actions)
Jul 21, 2025
lychee link checking action affected by arbitrary code injection in composite action
Moderate
CVE-2024-48908
was published
for
lycheeverse/lychee-action
(GitHub Actions)
Aug 28, 2025
Command Injection via sonarqube-scan-action GitHub Action
High
CVE-2025-58178
was published
for
SonarSource/sonarqube-scan-action
(GitHub Actions)
Sep 2, 2025
PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps
Low
GHSA-vxmw-7h4f-hqxh
was published
for
pypa/gh-action-pypi-publish
(GitHub Actions)
Sep 4, 2025
ProTip!
Advisories are also available from the
GraphQL API