Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,954
Maven
5,000+
npm
4,606
NuGet
787
pip
4,305
Pub
12
RubyGems
984
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,459 advisories

Loading
Cube Core is vulnerable to Denial of Service (DoS) via crafted request Moderate
CVE-2026-25957 was published for @cubejs-backend/server-core (npm) Feb 10, 2026
ovr
Credited to ovr
unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command) Moderate
CVE-2026-25918 was published for @rage-against-the-pixel/unity-cli (npm) Feb 10, 2026
mcp-maigret vulnerable to command injection Moderate
CVE-2026-2130 was published for mcp-maigret (npm) Feb 8, 2026
LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection Moderate
CVE-2026-25528 was published for langsmith (npm) Feb 9, 2026
payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments) Moderate
CVE-2026-25574 was published for payload (npm) Feb 5, 2026
s2ongmo
Credited to s2ongmo
Sandbox escape via infinite recursion and error objects Moderate
CVE-2026-25533 was published for @enclave-vm/core (npm) Feb 5, 2026
cristianstaicu frontegg-david
Credited to cristianstaicu and frontegg-david
n8n's domain allowlist bypass enables credential exfiltration Moderate
CVE-2026-25631 was published for n8n (npm) Feb 4, 2026
weblover12
Credited to weblover12
SCEditor has DOM XSS via emoticon URL/HTML injection Moderate
CVE-2026-25581 was published for sceditor (npm) Feb 6, 2026
sofianeelhor
Credited to sofianeelhor
client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect Moderate
CVE-2026-25651 was published for client-certificate-auth (npm) Feb 6, 2026
mdast-util-to-hast has unsanitized class attribute Moderate
CVE-2025-66400 was published for mdast-util-to-hast (npm) Dec 2, 2025
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint Moderate
CVE-2025-59472 was published for next (npm) Jan 28, 2026
cylewaitforit
Credited to cylewaitforit
JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js Moderate
CVE-2025-61140 was published for jsonpath (npm) Jan 28, 2026
gabrielmendes98
Credited to gabrielmendes98
KaTeX's maxExpand bypassed by `\edef` Moderate
CVE-2024-28243 was published for katex (npm) Mar 25, 2024
jupenur edemaine
Wenxin-Jiang
Credited to jupenur, edemaine, and Wenxin-Jiang
OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction Moderate
CVE-2026-25475 was published for openclaw (npm) Feb 4, 2026
jasonsutter87 evanotero
Credited to jasonsutter87 and evanotero
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) Moderate
CVE-2026-24473 was published for hono (npm) Jan 27, 2026
kilkat JungJoonWoo
Credited to kilkat and JungJoonWoo
Qwik City has a CSRF Protection Bypass via Content-Type Header Validation Moderate
CVE-2026-25151 was published for @builder.io/qwik-city (npm) Feb 3, 2026
KageShiron
Credited to KageShiron
Qwik SSR XSS via Unsafe Virtual Node Serialization Moderate
CVE-2026-25148 was published for @builder.io/qwik-city (npm) Feb 3, 2026
wodzen
Credited to wodzen
Improper Validation and Sanitization in url-parse Moderate
CVE-2020-8124 was published for url-parse (npm) Jan 6, 2022
ljharb
Credited to ljharb
Open redirect in url-parse Moderate
CVE-2021-3664 was published for url-parse (npm) Aug 10, 2021
ljharb
Credited to ljharb
Path traversal in url-parse Moderate
CVE-2021-27515 was published for url-parse (npm) May 6, 2021
ljharb
Credited to ljharb
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. Moderate
CVE-2022-0691 was published for url-parse (npm) Feb 22, 2022
jhutchings1 Kenny2github
y-yagi Haxatron ljharb
Credited to jhutchings1, Kenny2github, y-yagi, Haxatron, and ljharb
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data) Moderate
CVE-2026-25155 was published for @builder.io/qwik-city (npm) Feb 3, 2026
Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing Moderate
CVE-2026-1664 was published for agents (npm) Feb 3, 2026
Duplicate Advisory: Regular Expression Denial of Service in simple-markdown Moderate
GHSA-4xf9-pgvv-xx67 was published for simple-markdown (npm) Sep 3, 2020 withdrawn
tdunlap607
Credited to tdunlap607
Withdrawn Advisory: eslint has a Stack Overflow when serializing objects with circular references Moderate
CVE-2025-50537 was published for eslint (npm) Jan 26, 2026 withdrawn
lukemcgregor
Credited to lukemcgregor
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database