GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
32 advisories
tj-actions/branch-names has a Command Injection Vulnerability
Critical
GHSA-gq52-6phf-x2r6
was published
for
tj-actions/branch-names
(GitHub Actions)
Jul 25, 2025
RageAgainstThePixel/setup-steamcmd leaked authentication token in job output logs
High
GHSA-c5qx-p38x-qf5w
was published
for
RageAgainstThePixel/setup-steamcmd
(GitHub Actions)
Jul 21, 2025
buildalon/setup-steamcmd leaked authentication token in job output logs
High
GHSA-mj96-mh85-r574
was published
for
buildalon/setup-steamcmd
(GitHub Actions)
Jul 21, 2025
Cromwell GitHub Actions Secrets exfiltration via `Issue_comment`
Critical
GHSA-phf6-hm3h-x8qp
was published
for
broadinstitute/cromwell
(GitHub Actions)
May 28, 2025
Bullfrog's DNS over TCP bypasses domain filtering
Moderate
CVE-2025-47775
was published
for
bullfrogsec/bullfrog
(GitHub Actions)
May 15, 2025
Multiple Reviewdog actions were compromised during a specific time period
High
CVE-2025-30154
was published
for
reviewdog/action-setup
(GitHub Actions)
Mar 19, 2025
Harden-Runner allows evasion of 'disable-sudo' policy
Moderate
CVE-2025-32955
was published
for
step-security/harden-runner
(GitHub Actions)
Apr 22, 2025
canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output
High
CVE-2025-31479
was published
for
canonical/get-workflow-version-action
(GitHub Actions)
Apr 2, 2025
GitHub PAT written to debug artifacts
High
CVE-2025-24362
was published
for
github/codeql-action
(GitHub Actions)
Jan 24, 2025
tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs.
High
CVE-2025-30066
was published
for
tj-actions/changed-files
(GitHub Actions)
Mar 15, 2025
github-slug-action vulnerable to arbitrary code execution
High
CVE-2023-27581
was published
for
rlespinasse/github-slug-action
(GitHub Actions)
Mar 13, 2023
@actions/download-artifact has an Arbitrary File Write via artifact extraction
High
GHSA-cxww-7g56-2vh6
was published
for
actions/download-artifact
(GitHub Actions)
Sep 3, 2024
Artifact poisoning vulnerability in action-download-artifact v5 and earlier
High
GHSA-5xr6-xhww-33m4
was published
for
dawidd6/action-download-artifact
(GitHub Actions)
Nov 25, 2024
Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`
Low
CVE-2024-52587
was published
for
step-security/harden-runner
(GitHub Actions)
Nov 18, 2024
GitHub Actions Script Injection in `ultralytics/actions`
High
GHSA-7x29-qqmq-v6qc
was published
for
ultralytics/actions
(GitHub Actions)
Aug 14, 2024
fish-shop/syntax-check Improper Neutralization of Delimiters
Moderate
CVE-2024-42482
was published
for
fish-shop/syntax-check
(GitHub Actions)
Aug 12, 2024
github-slug-action use of `set-env` Runner commands which are processed via stdout
Moderate
GHSA-7f32-hm4h-w77q
was published
for
rlespinasse/github-slug-action
(GitHub Actions)
Feb 3, 2024
Vault GitHub Action did not correctly mask multi-line secrets in output
High
CVE-2021-32074
was published
for
hashicorp/vault-action
(GitHub Actions)
May 24, 2022
Potential Actions command injection in output filenames (GHSL-2023-275)
High
CVE-2023-52137
was published
for
tj-actions/verify-changed-files
(GitHub Actions)
Jan 2, 2024
tj-actions/changed-files has Potential Actions command injection in output filenames (GHSL-2023-271)
High
CVE-2023-51664
was published
for
tj-actions/changed-files
(GitHub Actions)
Jan 2, 2024
memory overflow vulnerability in OpenEXR-viewer
Critical
CVE-2023-50245
was published
for
afichet/openexr-viewer
(GitHub Actions)
Dec 12, 2023
tj-actions/branch-names's Improper Sanitization of Branch Name Leads to Arbitrary Code Injection
Critical
CVE-2023-49291
was published
for
tj-actions/branch-names
(GitHub Actions)
Dec 5, 2023
Arbitrary command injection in embano1/wip
High
CVE-2023-30623
was published
for
embano1/wip
(GitHub Actions)
Apr 24, 2023
Data written to GitHub Actions Cache may expose secrets
High
CVE-2023-30853
was published
for
gradle/gradle-build-action
(GitHub Actions)
May 1, 2023
ProTip!
Advisories are also available from the
GraphQL API