Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,954
Maven
5,000+
npm
4,606
NuGet
787
pip
4,305
Pub
12
RubyGems
984
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

263 advisories

Loading
Open Chinese Convert has Out-of-bounds Write Low
CVE-2025-15536 was published for opencc (npm) Jan 18, 2026
undici Denial of Service attack via bad certificate data Low
CVE-2025-47279 was published for undici (npm) May 15, 2025
styfle mcollina
Credited to styfle and mcollina
Claude Code has Permission Deny Bypass Through Symbolic Links Low
CVE-2026-25724 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior Low
CVE-2025-68458 was published for webpack (npm) Feb 5, 2026
HanJeouk alexander-akait
Credited to HanJeouk and alexander-akait
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence Low
CVE-2025-68157 was published for webpack (npm) Feb 5, 2026
HanJeouk alexander-akait
Credited to HanJeouk and alexander-akait
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream Low
CVE-2026-25224 was published for fastify (npm) Feb 2, 2026
mcollina onlybugs05-hackerone
Credited to mcollina and onlybugs05-hackerone
Qwik City Open Redirect via fixTrailingSlash Low
CVE-2026-25149 was published for @builder.io/qwik-city (npm) Feb 3, 2026
wodzen
Credited to wodzen
Duplicate Advisory: Regular Expression Denial of Service in braces Low
GHSA-g95f-p29q-9xw4 was published for braces (npm) Jun 6, 2019 withdrawn
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls Low
CVE-2025-14874 was published for nodemailer (npm) Dec 1, 2025
uko3211
Credited to uko3211
Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy Low
CVE-2026-25050 was published for @vendure/core (npm) Jan 30, 2026
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch Low
CVE-2026-24001 was published for diff (npm) Jan 14, 2026
guiyi-he ExplodingCabbage
G-Rath CraigHammondDexcom
Credited to guiyi-he, ExplodingCabbage, G-Rath, and CraigHammondDexcom
Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow` Low
CVE-2026-24048 was published for @backstage/backend-defaults (npm) Jan 21, 2026
Turbo Frame responses can restore stale session cookies Low
CVE-2025-66803 was published for @hotwired/turbo (npm) Jan 20, 2026
domchristie packagethief
samoli
Credited to domchristie, packagethief, and samoli
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion Low
CVE-2026-23522 was published for @lobehub/chat (npm) Jan 20, 2026
DenizParlak
Credited to DenizParlak
Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode Low
CVE-2026-23634 was published for pepr (npm) Jan 15, 2026
tghastings
Credited to tghastings
Quill is vulnerable to XSS via HTML export feature Low
CVE-2025-15056 was published for quill (npm) Jan 13, 2026
QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting Low
CVE-2026-0824 was published for @questdb/web-console (npm) Jan 10, 2026
Orejime has executable code in HTML attributes Low
CVE-2025-68457 was published for orejime (npm) Dec 19, 2025
Rudloff felixgirault
Credited to Rudloff and felixgirault
pm2 Regular Expression Denial of Service vulnerability Low
CVE-2025-5891 was published for pm2 (npm) Jun 9, 2025
mhassan1
Credited to mhassan1
Elliptic Uses a Cryptographic Primitive with a Risky Implementation Low
CVE-2025-14505 was published for elliptic (npm) Jan 8, 2026
JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3 Low
GHSA-j965-2qgj-vjmq was published for aws-sdk (npm) Jan 8, 2026
AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value Low
GHSA-6475-r3vj-m8vf was published for @smithy/config-resolver (npm) Jan 8, 2026
carbone Code Injection vulnerability Low
CVE-2024-14020 was published for carbone (npm) Jan 7, 2026
Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature Low
GHSA-24v3-254g-jv85 was published for @tutao/tutanota-utils (npm) Dec 19, 2025
Mattermost Desktop App exposes sensitive information in its application logs Low
CVE-2025-13321 was published for mattermost-desktop (npm) Dec 17, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database