Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,954
Maven
5,000+
npm
4,606
NuGet
787
pip
4,305
Pub
12
RubyGems
984
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,793 advisories

Loading
Cube Core is vulnerable to privilege escalation via a specially crafted request High
CVE-2026-25958 was published for @cubejs-backend/server-core (npm) Feb 10, 2026
ovr
Credited to ovr
FUXA Affected by a Path Traversal Sanitization Bypass High
CVE-2026-25951 was published for fuxa-server (npm) Feb 10, 2026
h1dr1
Credited to h1dr1
FUXA contains an insecure default configuration vulnerability High
CVE-2025-69970 was published for fuxa-server (npm) Feb 3, 2026
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig High
CVE-2026-25639 was published for axios (npm) Feb 9, 2026
hackerman70000
Credited to hackerman70000
@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse High
CVE-2026-25536 was published for @modelcontextprotocol/sdk (npm) Feb 4, 2026
gh-arpeet ahabian
Credited to gh-arpeet and ahabian
godot-mcp has Command Injection via unsanitized projectPath High
CVE-2026-25546 was published for @coding-solo/godot-mcp (npm) Feb 4, 2026
TianYu-0829 wcole3
Coding-Solo
Credited to TianYu-0829, wcole3, and Coding-Solo
AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection High
CVE-2026-25762 was published for @adonisjs/bodyparser (npm) Feb 6, 2026
ZeroXJacks
Credited to ZeroXJacks
AdonisJS multipart body parsing has Prototype Pollution issue High
CVE-2026-25754 was published for @adonisjs/bodyparser (npm) Feb 6, 2026
RomainLanz
Credited to RomainLanz
Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability High
CVE-2026-0775 was published for npm (npm) Jan 23, 2026 withdrawn
Mauripache
Credited to Mauripache
OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply High
CVE-2026-25593 was published for openclaw (npm) Feb 4, 2026
hackerman70000
Credited to hackerman70000
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json High
CVE-2026-25725 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions High
CVE-2026-25723 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection High
CVE-2026-25722 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
@isaacs/brace-expansion has Uncontrolled Resource Consumption High
CVE-2026-25547 was published for @isaacs/brace-expansion (npm) Feb 3, 2026
Jvr2022 intrigus-lgtm
Credited to Jvr2022 and intrigus-lgtm
Mongoose search injection vulnerability High
CVE-2024-53900 was published for mongoose (npm) Dec 2, 2024
balles skrtheboss
ljharb
Credited to balles, skrtheboss, and ljharb
Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes High
CVE-2026-24053 was published for @anthropic-ai/claude-code (npm) Feb 3, 2026
@fedify/fedify has Improper Authentication and Incorrect Authorization High
CVE-2025-54888 was published for @fedify/fedify (npm) Aug 8, 2025
allouis dahlia
Credited to allouis and dahlia
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand High
CVE-2026-25157 was published for clawdbot (npm) Feb 2, 2026
koko9xxx
Credited to koko9xxx
Compressing Vulnerable to Arbitrary File Write via Symlink Extraction High
CVE-2026-24884 was published for compressing (npm) Feb 3, 2026
Heeqw
Credited to Heeqw
Apollo Serve vulnerable to Denial of Service with `startStandaloneServer` High
CVE-2026-23897 was published for @apollo/server (npm) Feb 4, 2026
ChALkeR
Credited to ChALkeR
semver vulnerable to Regular Expression Denial of Service High
CVE-2022-25883 was published for semver (npm) Jun 21, 2023
mrgrain G-Rath
ljharb
Credited to mrgrain, G-Rath, and ljharb
n8n's Improper CSP Enforcement in Webhook Responses May Allow Stored XSS High
CVE-2026-25051 was published for n8n (npm) Feb 4, 2026
weblover12
Credited to weblover12
n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner High
CVE-2025-61917 was published for n8n (npm) Feb 4, 2026
n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node High
CVE-2026-25055 was published for n8n (npm) Feb 4, 2026
nkoorty jjjutla
Credited to nkoorty and jjjutla
n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI High
CVE-2026-25054 was published for n8n (npm) Feb 4, 2026
MyLong
Credited to MyLong
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database