Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,026
Maven
5,000+
npm
4,763
NuGet
824
pip
4,366
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,520 advisories

Loading
SignalK Server has Path Traversal leading to information disclosure Moderate
CVE-2026-25228 was published for signalk-server (npm) Feb 2, 2026
cchheang
Credited to cchheang
jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation) Moderate
CVE-2026-24043 was published for jspdf (npm) Feb 2, 2026
KarimTantawey
Credited to KarimTantawey
jsPDF has Shared State Race Condition in addJS Plugin Moderate
CVE-2026-24040 was published for jspdf (npm) Feb 2, 2026
KarimTantawey
Credited to KarimTantawey
@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator Moderate
CVE-2026-25152 was published for @backstage/plugin-techdocs-node (npm) Feb 2, 2026
LobeHub Vulnerable to Improper Authorization in Presigned Upload Moderate
CVE-2026-23835 was published for @lobehub/chat (npm) Feb 1, 2026
uko3211
Credited to uko3211
Maker.js has Unsafe Property Copying in makerjs.extendObject Moderate
CVE-2026-24888 was published for makerjs (npm) Jan 29, 2026
hayageek
Credited to hayageek
NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS Moderate
CVE-2026-24766 was published for nocodb (npm) Jan 28, 2026
cp-57
Credited to cp-57
NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality Moderate
CVE-2026-24767 was published for nocodb (npm) Jan 28, 2026
kolega-ai-dev
Credited to kolega-ai-dev
NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter Moderate
CVE-2026-24768 was published for nocodb (npm) Jan 28, 2026
p-
Credited to p-
JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js Moderate
CVE-2025-61140 was published for jsonpath (npm) Jan 28, 2026
gabrielmendes98
Credited to gabrielmendes98
BrowserStack Local vulnerable to Command Injection through logfile variable Moderate
CVE-2025-57283 was published for browserstack-local (npm) Jan 28, 2026
Hono vulnerable to XSS through ErrorBoundary component Moderate
CVE-2026-24771 was published for hono (npm) Jan 28, 2026
kilkat
Credited to kilkat
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint Moderate
CVE-2025-59472 was published for next (npm) Jan 28, 2026
cylewaitforit
Credited to cylewaitforit
vlt Mishandles Path Sanitization for tar Moderate
CVE-2026-24909 was published for @vltpkg/tar (npm) Jan 28, 2026
StudioCMS has Authorization Bypass Through User-Controlled Key Moderate
CVE-2026-24134 was published for studiocms (npm) Jan 27, 2026
FilipeGaudard Adammatthiesen
Credited to FilipeGaudard and Adammatthiesen
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration Moderate
CVE-2025-59471 was published for next (npm) Jan 27, 2026
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) Moderate
CVE-2026-24473 was published for hono (npm) Jan 27, 2026
kilkat JungJoonWoo
Credited to kilkat and JungJoonWoo
Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception Moderate
CVE-2026-24472 was published for hono (npm) Jan 27, 2026
simonkoeck
Credited to simonkoeck
Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing Moderate
CVE-2026-24398 was published for hono (npm) Jan 27, 2026
devanshbatham
Credited to devanshbatham
pnpm has Path Traversal via arbitrary file permission modification Moderate
CVE-2026-24131 was published for pnpm (npm) Jan 26, 2026
mldangelo
Credited to mldangelo
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip) Moderate
CVE-2026-23888 was published for pnpm (npm) Jan 26, 2026
mldangelo mgol
Credited to mldangelo and mgol
pnpm has Windows-specific tarball Path Traversal Moderate
CVE-2026-23889 was published for pnpm (npm) Jan 26, 2026
mldangelo
Credited to mldangelo
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin Moderate
CVE-2026-23890 was published for pnpm (npm) Jan 26, 2026
mldangelo
Credited to mldangelo
pnpm has symlink traversal in file:/git dependencies Moderate
CVE-2026-24056 was published for pnpm (npm) Jan 26, 2026
mldangelo
Credited to mldangelo
Withdrawn Advisory: eslint has a Stack Overflow when serializing objects with circular references Moderate
CVE-2025-50537 was published for eslint (npm) Jan 26, 2026 withdrawn
lukemcgregor
Credited to lukemcgregor
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database