Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

6,388 advisories

Loading
vm2 has a Sandbox Escape issue Critical
CVE-2026-47131 was published for vm2 (npm) May 29, 2026
vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter Low
GHSA-q3fm-4wcw-g57x was published for vm2 (npm) May 29, 2026
fg0x0 Credited to fg0x0
vm2 is Vulnerable to Sandbox Breakout Through Promise Species Critical
CVE-2026-47208 was published for vm2 (npm) May 29, 2026
XmiliaH Credited to XmiliaH
vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks High
CVE-2026-47135 was published for vm2 (npm) May 29, 2026
q1uf3ng Credited to q1uf3ng
vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain High
CVE-2026-47209 was published for vm2 (npm) May 29, 2026
q1uf3ngONEKEY Credited to q1uf3ngONEKEY
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE Critical
CVE-2026-47137 was published for vm2 (npm) May 29, 2026
q1uf3ngONEKEY Credited to q1uf3ngONEKEY
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass Critical
CVE-2026-47210 was published for vm2 (npm) May 29, 2026
RealHurrison Credited to RealHurrison
ExifReader is vulnerable to denial of service via unbounded decompression of image metadata Moderate
CVE-2026-8814 was published for exifreader (npm) May 29, 2026
yuki-matsuhashi Credited to yuki-matsuhashi
ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag High
CVE-2026-8813 was published for exifreader (npm) May 29, 2026
yuki-matsuhashi Credited to yuki-matsuhashi
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution Critical
CVE-2026-47140 was published for vm2 (npm) May 29, 2026
spbavarva Credited to spbavarva and VladimirEliTokarev VladimirEliTokarev VladimirEliTokarev
NodeVM network builtin exclusions bypass via internal _http_client and _http_server High
CVE-2026-47139 was published for vm2 (npm) May 29, 2026
spbavarva Credited to spbavarva
NodeVM observability builtins leak host process and HTTP request data Moderate
CVE-2026-47141 was published for vm2 (npm) May 29, 2026
spbavarva Credited to spbavarva
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers Moderate
CVE-2026-47248 was published for parse-server (npm) May 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
AgenticMail API/storage and outbound relay hardening fixes High
CVE-2026-47255 was published for @agenticmail/api (npm) May 29, 2026
@agenticmail/mcp Missing Authentication for Critical Function High
GHSA-63gr-g7jc-v8rg was published for @agenticmail/mcp (npm) Jun 1, 2026
DOMPurify XSS via selectedcontent re-clone High
CVE-2026-47423 was published for dompurify (npm) Jun 1, 2026
KabirAcharya Credited to KabirAcharya
When Vitest UI server is listening, arbitrary file can be read and executed Critical
CVE-2026-47429 was published for vitest (npm) Jun 1, 2026
sapphi-red Credited to sapphi-red
Vitest browser mode serves unsanitized otelCarrier query parameter as inline script Critical
CVE-2026-47428 was published for @vitest/browser (npm) Jun 1, 2026
tomohiro86 Credited to tomohiro86
launch-editor vulnerable to command injection via the crafted request on Windows High
CVE-2024-52011 was published for launch-editor (npm) Jun 3, 2026
Ry0taK Credited to Ry0taK
React Router has stored XSS via unescaped Location header in prerendered redirect HTML Moderate
CVE-2026-33244 was published for react-router (npm) Jun 3, 2026
yuito-it Credited to yuito-it
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets High
CVE-2026-33245 was published for react-router (npm) Jun 3, 2026
x4cc3 Credited to x4cc3
React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation Moderate
CVE-2026-40181 was published for react-router (npm) Jun 3, 2026
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE High
CVE-2026-42211 was published for react-router (npm) Jun 3, 2026
SM41ldRag0n Credited to SM41ldRag0n
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint High
CVE-2026-42342 was published for @remix-run/server-runtime (npm) Jun 3, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server High
CVE-2026-49144 was published for browserstack-runner (npm) Jun 3, 2026
Christbowel Credited to Christbowel
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database