Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

85 advisories

Loading
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix Low
CVE-2026-44489 was published for axios (npm) May 29, 2026
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header... High Unreviewed
CVE-2026-9658 was published May 28, 2026
HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control... Moderate Unreviewed
CVE-2026-7010 was published May 12, 2026
eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields Moderate
CVE-2026-44214 was published for eventsource-encoder (npm) May 8, 2026
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735) Low
CVE-2026-42578 was published for io.netty:netty-handler-proxy (Maven) May 7, 2026
August829 Credited to August829
Microdot has HTTP response splitting in Response.set_cookie() Low
CVE-2026-42874 was published for microdot (pip) May 5, 2026
luantq0 Credited to luantq0
Axios: Header Injection via Prototype Pollution High
CVE-2026-42035 was published for axios (npm) May 5, 2026
raulvdv Credited to raulvdv
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header High
CVE-2026-41683 was published for i18next-http-middleware (npm) Apr 22, 2026
Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header High
CVE-2026-39971 was published for s9y/serendipity (Composer) Apr 14, 2026
mabjr33 Credited to mabjr33
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain Moderate
CVE-2026-40175 was published for axios (npm) Apr 10, 2026
raulvdv Credited to raulvdv, SwTan98, Wenxin-Jiang, jasonsaayman, and ylemkimon SwTan98 SwTan98
Wenxin-Jiang Wenxin-Jiang jasonsaayman jasonsaayman ylemkimon ylemkimon
Hono missing validation of cookie name on write path in setCookie() Moderate
GHSA-26pp-8wgv-hjvm was published for hono (npm) Apr 8, 2026
athuljayaram Credited to athuljayaram
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest Moderate
CVE-2026-34767 was published for electron (npm) Apr 3, 2026
ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting) Moderate
CVE-2026-34715 was published for ewe (Erlang) Apr 1, 2026
athuljayaram Credited to athuljayaram
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass Low
CVE-2026-34520 was published for aiohttp (pip) Apr 1, 2026
vmfunc Credited to vmfunc, oxqnd, and rodrigobnogueira oxqnd oxqnd
rodrigobnogueira rodrigobnogueira
AIOHTTP has HTTP response splitting via \r in reason phrase Low
CVE-2026-34519 was published for aiohttp (pip) Apr 1, 2026
DHIRAL2908 Credited to DHIRAL2908
AIOHTTP has CRLF injection through multipart part content type header construction Low
CVE-2026-34514 was published for aiohttp (pip) Apr 1, 2026
mingijunggrape Credited to mingijunggrape
HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on... Low Unreviewed
CVE-2025-55271 was published Mar 26, 2026
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie() Moderate
CVE-2026-29086 was published for hono (npm) Mar 4, 2026
TarPeg007 Credited to TarPeg007
Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated... Low Unreviewed
CVE-2026-23686 was published Feb 10, 2026
Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP),... Low Unreviewed
CVE-2026-24320 was published Feb 10, 2026
Gakido vulnerable to HTTP Header Injection (CRLF Injection) Moderate
CVE-2026-24489 was published for gakido (pip) Jan 26, 2026
omarkurt Credited to omarkurt
BlackSheep's ClientSession is vulnerable to CRLF injection Moderate
CVE-2026-22779 was published for blacksheep (pip) Jan 14, 2026
tr4ce-ju Credited to tr4ce-ju
CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability... High Unreviewed
CVE-2025-40927 was published Aug 29, 2025
SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level... Moderate Unreviewed
CVE-2025-42934 was published Aug 12, 2025
Spring Framework vulnerable to a reflected file download (RFD) Moderate
CVE-2025-41234 was published for org.springframework:spring-web (Maven) Jun 13, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database