GitHub
Products
43- 119 CVEs
- 14 CVEs
- 11 CVEs
- 8 CVEs
- 8 CVEs
- 6 CVEs
- Hub3 CVEsgem
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- View all 43 products →
Recent CVEs
201| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17632 | Cri | 0.67 | 9.8 | 0.02 | Dec 13, 2017 | Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter. | ||
| CVE-2024-46627 | Cri | 0.66 | 9.1 | 0.04 | Sep 26, 2024 | Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests. | ||
| CVE-2026-8034 | Cri | 0.64 | 9.8 | 0.00 | May 7, 2026 | A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname… | ||
| CVE-2024-25825 | Cri | 0.64 | 9.8 | 0.01 | Oct 9, 2024 | FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the root password saved as a wildcard. This allows attackers to gain root access without a password. | ||
| CVE-2018-18075 | Cri | 0.64 | 9.8 | 0.02 | Oct 9, 2018 | WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id or num_records parameter, or the index.php?action=search select_sort parameter. | ||
| CVE-2017-18215 | Cri | 0.64 | 9.8 | 0.02 | Mar 5, 2018 | xvpng.c in xv 3.10a has memory corruption (out-of-bounds write) when decoding PNG comment fields, leading to crashes or potentially code execution, because it uses an incorrect length value. | ||
| CVE-2026-5845 | Cri | 0.62 | 9.6 | 0.00 | Apr 21, 2026 | An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an… | ||
| CVE-2026-44451 | Cri | 0.60 | 9.3 | 0.00 | May 26, 2026 | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator… | ||
| CVE-2026-5921 | Hig | 0.58 | 8.9 | 0.00 | Apr 21, 2026 | A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was… | ||
| CVE-2026-41109 | Hig | 0.57 | 8.8 | 0.01 | May 12, 2026 | Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network. | ||
| CVE-2026-4296 | Hig | 0.57 | 8.8 | 0.00 | Apr 21, 2026 | An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious… | ||
| CVE-2026-3854 | Hig | 0.57 | 8.8 | 0.24 | Mar 10, 2026 | An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were… | ||
| CVE-2024-43653 | Hig | 0.57 | 8.8 | 0.02 | Jan 9, 2025 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701. Likelihood: Moderate – The binary does not… | ||
| CVE-2024-43649 | Hig | 0.57 | 8.8 | 0.02 | Jan 9, 2025 | Authenticated command injection in the filename of a .exe request leads to remote code execution as the root user. This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – This action is not a common place for command… | ||
| CVE-2026-4931 | Hig | 0.56 | 8.6 | 0.00 | Apr 7, 2026 | Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost. | ||
| CVE-2025-53367 | Hig | 0.55 | — | 0.01 | Jul 3, 2025 | DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the… | ||
| CVE-2026-9312 | Hig | 0.53 | 8.2 | 0.07 | May 27, 2026 | A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal… | ||
| CVE-2025-71216 | Hig | 0.51 | 7.8 | 0.00 | May 21, 2026 | A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent cache mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target… | ||
| CVE-2026-34676 | Hig | 0.51 | 7.8 | 0.00 | May 12, 2026 | Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious… | ||
| CVE-2018-10778 | Hig | 0.51 | 7.8 | 0.01 | May 7, 2018 | Read access violation in the III_dequantize_sample function in mpglibDBL/layer3.c in mp3gain through 1.5.2-r2 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact, a different vulnerability than CVE-2017-9872 and… |
- risk 0.67cvss 9.8epss 0.02
Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter.
- risk 0.66cvss 9.1epss 0.04
Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests.
- risk 0.64cvss 9.8epss 0.00
A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname…
- risk 0.64cvss 9.8epss 0.01
FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the root password saved as a wildcard. This allows attackers to gain root access without a password.
- risk 0.64cvss 9.8epss 0.02
WikidForum 2.20 has SQL Injection via the rpc.php parent_post_id or num_records parameter, or the index.php?action=search select_sort parameter.
- risk 0.64cvss 9.8epss 0.02
xvpng.c in xv 3.10a has memory corruption (out-of-bounds write) when decoding PNG comment fields, leading to crashes or potentially code execution, because it uses an incorrect length value.
- risk 0.62cvss 9.6epss 0.00
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an…
- risk 0.60cvss 9.3epss 0.00
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator…
- risk 0.58cvss 8.9epss 0.00
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was…
- risk 0.57cvss 8.8epss 0.01
Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.
- risk 0.57cvss 8.8epss 0.00
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious…
- risk 0.57cvss 8.8epss 0.24
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were…
- risk 0.57cvss 8.8epss 0.02
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701. Likelihood: Moderate – The binary does not…
- risk 0.57cvss 8.8epss 0.02
Authenticated command injection in the filename of a .exe request leads to remote code execution as the root user. This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – This action is not a common place for command…
- risk 0.56cvss 8.6epss 0.00
Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.
- risk 0.55cvss —epss 0.01
DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the…
- risk 0.53cvss 8.2epss 0.07
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal…
- risk 0.51cvss 7.8epss 0.00
A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent cache mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target…
- risk 0.51cvss 7.8epss 0.00
Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious…
- risk 0.51cvss 7.8epss 0.01
Read access violation in the III_dequantize_sample function in mpglibDBL/layer3.c in mp3gain through 1.5.2-r2 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact, a different vulnerability than CVE-2017-9872 and…