Skip to content

84 GHSAs reference CVE IDs with no record in cvelistV5, the CVE Services API, or NVD #8051

Open
Open
84 GHSAs reference CVE IDs with no record in cvelistV5, the CVE Services API, or NVD#8051
@jgamblin

Description

@jgamblin
jgamblin
opened on Jun 16, 2026

Summary

While cross-referencing the GitHub Advisory Database against the CVE Program, I found 84 advisories whose aliases list a CVE ID that returns not found in all three authoritative sources I checked:

  • CVEProject/cvelistV5 — no record
  • the CVE Services API (cveawg.mitre.org) — CVE_RECORD_DNE
  • NVD (services.nvd.nist.gov) — 0 results

Each advisory was itself published more than 120 days ago (GHSA published date), so this isn't fresh-sync lag.

I've split them by where they live, since that affects who can act on them:

  • 63 are github-reviewed advisories in this database (github.com/advisories/...).
  • 21 are repo-level advisories published in individual projects' repos (github.com/<owner>/<repo>/security/advisories/...) that are not in the reviewed database — included for completeness since they show the same dangling-CVE pattern; they may be out of scope here.

I'm not assuming fault or a specific cause — an alias could be a typo, the CVE may have been rejected or never finalized, or it could be a migration gap. I wanted to surface it rather than guess. Is this useful, and is there a preferred way to report or route these (per-advisory, grouped by CNA, raw JSON/CSV)? Happy to adapt the format to whatever is easiest to act on.

How this was verified

  • Generated 2026-06-16T18:24:47Z; each CVE checked live against the three sources above.
  • 84 absent from all three.

Github-reviewed advisories in this database (63)

63 reviewed advisories
GHSA CVE GHSA published cvelistV5 CVE Services NVD Package Summary
GHSA-28gr-86hg-r48w CVE-2013-3364 2020-08-31 absent absent absent npm:ep_imageconvert Unauthenticated Remote Command Injection in ep_imageconvert
GHSA-44g9-w23c-5rw7 CVE-2014-8883 2020-08-31 absent absent absent npm:nhouston Directory Traversal in nhouston
GHSA-f5w6-r7rg-mcgq CVE-2014-8882 2020-08-31 absent absent absent npm:validator Regular Expression Denial of Service in validator
GHSA-vjfr-p6hp-jqqw CVE-2015-4130 2020-08-31 absent absent absent npm:ungit Command Injection in ungit
GHSA-2r7f-4h2c-5x73 CVE-2016-1000249 2020-09-01 absent absent absent npm:fury-adapter-swagger fury-adapter-swagger allows arbitrary file read from system
GHSA-46m8-42hm-wvvw CVE-2016-1000231 2020-09-01 absent absent absent npm:emojione Cross-Site Scripting in emojione
GHSA-4v9q-hm2p-68c4 CVE-2016-1000238 2020-09-01 absent absent absent npm:node-krb5 Spoofing attack due to unvalidated KDC in node-krb5
GHSA-5v9h-q3gj-c32x CVE-2016-1000225 2020-09-01 absent absent absent npm:sequelize SQL Injection via GeoJSON in sequelize
GHSA-7f59-x49p-v8mq CVE-2016-1000226 2020-09-01 absent absent absent npm:swagger-ui Cross-Site Scripting in swagger-ui
GHSA-c7pp-g2v2-2766 CVE-2016-1000228 2020-09-01 absent absent absent npm:gmail-js DOM-based XSS in gmail-js
GHSA-cjj8-wfrx-jqcf CVE-2016-1000241 2020-09-01 absent absent absent npm:pivottable Cross-Site Scripting (XSS) in pivottable
GHSA-fwcw-5qw2-87mp CVE-2016-1000235 2020-09-01 absent absent absent npm:fuelux fuelux vulnerable to Cross-Site Scripting in Pillbox feature
GHSA-gg6m-fhqv-hg56 CVE-2014-4179 2020-09-01 absent absent absent npm:yar Denial of Service in yar
GHSA-gjcw-v447-2w7q CVE-2016-1000223 2020-09-01 absent absent absent npm:jws Forgeable Public/Private Tokens in jws
GHSA-gjhx-gxwx-jx9j CVE-2016-1000234 2020-09-01 absent absent absent npm:jqtree Cross-Site Scripting in jqtree
GHSA-gvg7-pp82-cff3 CVE-2016-1000240 2020-09-01 absent absent absent npm:c3 Cross-Site Scripting in c3
GHSA-hfq9-rfpv-j8r8 CVE-2017-16034 2020-09-01 absent absent absent npm:pidusage Command Injection in pidusage
GHSA-hg78-c92r-hvwr CVE-2016-1000242 2020-09-01 absent absent absent npm:mqtt Denial of Service in mqtt
GHSA-mrx7-8hxf-f853 CVE-2016-1000233 2020-09-01 absent absent absent npm:swagger-ui Cross-Site Scripting in swagger-ui
GHSA-mvmf-cvfx-qg55 CVE-2014-8881 2020-09-01 absent absent absent npm:bleach Regular Expression Denial of Service in bleach
GHSA-p788-rj37-357w CVE-2016-1000224 2020-09-01 absent absent absent npm:ezseed-transmission Insecure Defaults Leads to Potential MITM in ezseed-transmission
GHSA-pjh3-jv7w-9jpr CVE-2015-7982 2020-09-01 absent absent absent npm:gm Command Injection in gm
GHSA-r87w-47m8-22w3 CVE-2016-3942 2020-09-01 absent absent absent npm:jsrender Template Injection in jsrender
GHSA-v2jq-9475-r5g8 CVE-2016-1000227 2020-09-01 absent absent absent npm:bootstrap-tagsinput Cross-Site Scripting in bootstrap-tagsinput
GHSA-v5hp-35hw-cw5x CVE-2016-1000230 2020-09-01 absent absent absent npm:rendr XSS in client rendered block templates in rendr
GHSA-g53w-52xc-2j85 CVE-2013-7035 2020-09-04 absent absent absent npm:react Cross-Site Scripting in react
GHSA-v6c5-hwqg-3x5q CVE-2019-19723 2020-09-04 absent absent absent npm:passport-cognito Improper Authorization in passport-cognito
GHSA-q348-f93x-9gx4 CVE-2021-30492 2021-04-29 absent absent absent Packagist:zendesk/zendesk_api_client_php Lack of Input Validation in zendesk_api_client_php for Zendesk Subdomain
GHSA-ww3v-6xjf-jv28 CVE-2018-18855 2022-06-28 absent absent absent Maven:io.spray:spray-json_2.10 Uncontrolled Resource Consumption in Spray JSON
GHSA-cqhr-jqvc-qw9p CVE-2016-1000273 2022-07-20 absent absent absent Maven:net.bull.javamelody:javamelody-core Java Melody vulnerable to cross-site scripting
GHSA-gwp4-mcv4-w95j CVE-2022-3102 2022-09-21 absent absent absent PyPI:jwcrypto jwcrypto token substitution can lead to authentication bypass
GHSA-vpqv-mqvc-pcx2 CVE-2014-4920 2023-03-16 absent absent absent RubyGems:twitter-bootstrap-rails Reflective Cross-site Scripting Vulnerability in twitter-bootstrap-rails
GHSA-93j4-v838-8767 CVE-2023-45023 2023-10-04 absent absent absent Packagist:in2code/femanager TYPO3 extension femanager Broken Access Control vulnerability
GHSA-6hvg-62q8-95v7 CVE-2023-46035 2023-10-20 absent absent absent RubyGems:svg_optimizer svg_optimizer rubygem external XML entity (XXE) vulnerability
GHSA-4xp5-hr35-84cx CVE-2023-50459 2023-12-13 absent absent absent Packagist:in2code/femanager Broken Access Control in extension "femanager"
GHSA-j8cw-ppmv-wj85 CVE-2023-50462 2023-12-13 absent absent absent Packagist:t3s/content-consent Insecure Direct Object Reference in extension "Content Consent" (content_consent)
GHSA-p6xx-fhfw-7mj7 CVE-2023-50461 2023-12-13 absent absent absent Packagist:directmailteam/direct-mail Configuration Injection in extension "Direct Mail" (direct_mail)
GHSA-hvp4-vrv2-8wrq CVE-2024-1314 2024-02-08 absent absent absent PyPI:kinto-attachment Kinto Attachment's attachments can be replaced on read-only records
GHSA-hhf8-f5w9-g6vh CVE-2024-30173 2024-04-02 absent absent absent Packagist:causal/oidc OpenID Connect Authentication (oidc) Typo3 extension Authentication Bypass
GHSA-jj54-5q2m-q7pj CVE-2021-32026 2024-05-14 absent absent absent Go:github.com/nats-io/nats-server/v2 NATS server TLS missing ciphersuite settings when CLI flags used
GHSA-g48f-pgwh-wwxx CVE-2016-1000253 2024-05-17 absent absent absent Packagist:onelogin/php-saml onelogin/php-saml signature wrapping attacks
GHSA-h7v2-2qwg-h829 CVE-2014-6061 2024-05-30 absent absent absent Packagist:symfony/http-foundation Symfony has a security issue when parsing the Authorization header
GHSA-p684-f7fh-jv2j CVE-2015-2309 2024-05-30 absent absent absent Packagist:symfony/http-foundation Symfony has unsafe methods in the Request class
GHSA-v35g-4rrw-h4fw CVE-2014-6072 2024-05-30 absent absent absent Packagist:symfony/symfony Symfony Cross-Site Request Forgery vulnerability in the Web Profiler
GHSA-v77v-x634-9m56 CVE-2014-5244 2024-05-30 absent absent absent Packagist:symfony/http-foundation Symfony vulnerable to denial of service via a malicious HTTP Host header
GHSA-wfv7-5x33-v22h CVE-2014-4931 2024-05-30 absent absent absent Packagist:symfony/framework-bundle Code injection in the way Symfony implements translation caching in FrameworkBundle
GHSA-wvjv-p5rr-mmqm CVE-2014-5245 2024-05-30 absent absent absent Packagist:symfony/http-kernel Symfony allows direct access of ESI URLs behind a trusted proxy
GHSA-3m9x-2qfj-xvq4 CVE-2015-3542 2024-11-07 absent absent absent Packagist:phpoffice/phpexcel PHPExcel XXE Vulnerability
GHSA-93ww-43rr-79v3 CVE-2024-10039 2024-11-25 absent absent absent Maven:org.keycloak:keycloak-core Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination
GHSA-rrh3-cgmx-w62f CVE-2025-30083 2025-03-19 absent absent absent Packagist:codingms/additional-tca Additional TCA Allows Cross-Site Scripting (XSS)
GHSA-vmgw-24w6-9v82 CVE-2025-30081 2025-03-19 absent absent absent Packagist:clickstorm/cs-seo Clickstorm SEO Allows Cross-Site Scripting (XSS)
GHSA-3p6v-hrg8-8qj7 CVE-2025-2792 2025-03-26 absent absent absent npm:@mozilla/readability @mozilla/readability Denial of Service through Regex
GHSA-hpqf-m68j-2pfx CVE-2025-28269 2025-04-07 absent absent absent npm:js-object-utilities js-object-utilities Vulnerable to Prototype Pollution
GHSA-8h6m-wv39-239m CVE-2024-22031 2025-04-25 absent absent absent Go:github.com/rancher/rancher Rancher users who can create Projects can gain access to arbitrary projects
GHSA-95fc-g4gj-mqmx CVE-2023-32198 2025-04-25 absent absent absent Go:github.com/rancher/steve Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks
GHSA-xgpc-q899-67p8 CVE-2025-23390 2025-04-25 absent absent absent Go:github.com/rancher/fleet Fleet doesn’t validate a server’s certificate when connecting through SSH
GHSA-jv4x-jv3h-qff5 CVE-2024-21486 2025-06-05 absent absent absent crates.io:deno Deno vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
GHSA-7c78-rm87-5673 CVE-2025-41419 2025-07-31 absent absent absent PyPI:ms-swift MS SWIFT WEB-UI RCE Vulnerability
GHSA-79j6-g2m3-jgfw CVE-2025-9141 2025-08-21 absent absent absent PyPI:vllm vLLM has remote code execution vulnerability in the tool call parser for Qwen3-Coder
GHSA-cfmv-h8fx-85m7 CVE-2025-11058 2025-08-26 absent absent absent PyPI:xml2rfc xml2rfc has an arbitrary file read vulnerability
GHSA-9mv7-3c64-mmqw CVE-2025-11059 2025-09-10 absent absent absent PyPI:xml2rfc xml2rfc is vulnerable to arbitrary file reads through prepped files
GHSA-6fvq-23cw-5628 CVE-2025-61620 2025-10-07 absent absent absent PyPI:vllm vLLM: Resource-Exhaustion (DoS) through Malicious Jinja Template in OpenAI-Compatible Server
GHSA-rjv5-9px2-fqw6 CVE-2025-65852 2026-02-06 absent absent absent Go:gogs.io/gogs Gogs has authorization bypass in repository deletion API

Repo-level advisories not in the reviewed database (21)

21 repo-level advisories
GHSA CVE GHSA published cvelistV5 CVE Services NVD Package Summary
GHSA-ww7h-4fx5-8c2j CVE-2020-13165 2020-06-02 absent absent absent Gradle Signing: GnuPG key passphrase captured in INFO and DEBUG logs
GHSA-29q7-6g57-5vc6 CVE-2017-15028 2020-07-10 absent absent absent osquery:osquery known_hosts should drop privileges
GHSA-3227-mxf9-vw74 CVE-2017-15026 2020-07-10 absent absent absent osquery:osquery ie_extensions table susceptible to SQL injection
GHSA-hx5j-mvj5-rq2m CVE-2017-15027 2020-07-10 absent absent absent osquery:osquery safari_extensions table should not use parent paths for privilege dropping
GHSA-p5f5-fxhh-qx3w CVE-2020-15691 2021-03-26 absent absent absent nim:Nim CR-LF injections in Nim standand library smtp
GHSA-r8f8-pgg2-2c26 CVE-2021-36390 2021-07-20 absent absent absent opf:openproject Host Header Injection in unproxied Docker installations
GHSA-4274-qrr7-mqm6 CVE-2021-32784 2021-07-23 absent absent absent discourse:discourse SQL injection in top topics RSS feed route
GHSA-gcxh-546h-phg4 CVE-2021-3399 2021-08-31 absent absent absent none:mcuboot MCUboot uses hard-coded keys
GHSA-8hrv-4cp5-4rg3 CVE-2021-3890 2022-04-18 absent absent absent c:mcuboot Integer underflow in parsed TLV data in boot_save_boot_status
GHSA-962r-m9fj-3hj9 CVE-2023-28641 2023-05-21 absent absent absent rubygems:Autolab Session forgery/admin impersonation vulnerability in recommended Autolab setup (GHSL-2023-030)
GHSA-98rx-qxp8-7x65 CVE-2023-40772 2023-09-11 absent absent absent maven:io.dataease DataEase has an arbitrary file viewing vulnerability
GHSA-439c-3956-r8q7 CVE-2023-51769 2023-12-11 absent absent absent frappe:frappe Cross-Site Scripting (XSS) Attack on exceptions and Blog Page
GHSA-j482-m46g-v8r2 CVE-2023-6537 2024-06-10 absent absent absent SuiteCRM:SuiteCRM-Core Authenticated RCE via Local File Inclusion in redirect handler
GHSA-hwrx-jgf2-74hw CVE-2025-20570 2025-04-08 absent absent absent vscode Remote Code Execution Vulnerability
GHSA-rf8x-9mhr-49wg CVE-2025-47425 2025-05-14 absent absent absent pip:reflex Private state fields modification
GHSA-48h6-hpp2-357h CVE-2025-53016 2025-08-19 absent absent absent discourse:discourse HTML injection in solved posts when "display name on posts" setting enabled
GHSA-8hr3-47jh-25vr CVE-2024-57779 2025-10-25 absent absent absent pi-hole:web Stored XSS
GHSA-v99h-rhv2-7mpq CVE-2024-2699 2026-01-12 absent absent absent avahi:avahi Uncontrolled recursion in lookup_handle_cname
GHSA-xj9f-7g59-m4jx CVE-2024-31884 2026-01-21 absent absent absent ceph:pybind Incorrect usage of certificate checking via Pybind use
GHSA-727f-w7gp-pw84 CVE-2026-25995 2026-02-11 absent absent absent opf:openproject CSRF via Unsafe GET Request Allows Deletion of Work Packages
GHSA-8fq7-cmmf-2793 CVE-2026-25948 2026-02-11 absent absent absent opf:openproject Several Insecure Direct Object Reference errors in the meetings module

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions