Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

21 advisories

Loading
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies Moderate
CVE-2026-9595 was published for webpack-dev-server (npm) Jun 17, 2026
bjohansebas Credited to bjohansebas and UlisesGascon UlisesGascon UlisesGascon
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects Moderate
CVE-2026-48022 was published for @hapi/wreck (npm) Jun 11, 2026
SnailSploit Credited to SnailSploit
@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry Moderate
GHSA-qhh4-458h-xwh2 was published for @cyclonedx/cdxgen (npm) May 8, 2026
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow Moderate
CVE-2026-34083 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
Electron: Incorrect origin passed to permission request handler for iframe requests Moderate
CVE-2026-34777 was published for electron (npm) Apr 3, 2026
GraphQL API endpoint ignores CORS origin restriction Moderate
CVE-2026-34373 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
luz-oasis Credited to luz-oasis
Cache poisoning in @sveltejs/adapter-vercel Moderate
CVE-2026-27118 was published for @sveltejs/adapter-vercel (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
OpenClaw session tool visibility hardening and Telegram webhook secret fallback Moderate
CVE-2026-27004 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent Credited to aether-ai-agent
React Router has CSRF issue in Action/Server Action Request Processing Moderate
CVE-2026-22030 was published for @remix-run/server-runtime (npm) Jan 8, 2026
Oceandust Credited to Oceandust
Parcel has an Origin Validation Error vulnerability Moderate
CVE-2025-56648 was published for @parcel/reporter-dev-server (npm) Sep 17, 2025
R4356th Credited to R4356th, G-Rath, and Pomax G-Rath G-Rath
Pomax Pomax
elysia-cors Origin Validation Error Moderate
CVE-2025-50864 was published for @elysiajs/cors (npm) Aug 20, 2025
sapphi-red Credited to sapphi-red
@misskey-dev/summaly allows IP Filter Bypass via Redirect Moderate
GHSA-jqx4-9gpq-rppm was published for @misskey-dev/summaly (npm) May 6, 2025
warriordog Credited to warriordog
esbuild enables any website to send any requests to the development server and read the response Moderate
GHSA-67mh-4wv8-2f99 was published for esbuild (npm) Feb 10, 2025
sapphi-red Credited to sapphi-red
Websites were able to send any requests to the development server and read the response in vite Moderate
CVE-2025-24010 was published for vite (npm) Jan 21, 2025
ivantsepp Credited to ivantsepp
pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion Moderate
CVE-2024-53866 was published for pnpm (npm) Dec 10, 2024
ChALkeR Credited to ChALkeR
Unintentional leakage of private information via cross-origin websocket session hijacking Moderate
CVE-2023-2850 was published for nodebb (npm) Jul 25, 2023
mowzk Credited to mowzk and barisusakli barisusakli barisusakli
Leaking of user information on Cross-Domain communication in sysend Moderate
CVE-2022-24762 was published for sysend (npm) Mar 14, 2022
CORS misconfiguration in socket.io Moderate
CVE-2020-28481 was published for socket.io (npm) Jan 20, 2021
User Impersonation in converse.js Moderate
CVE-2017-5858 was published for converse.js (npm) Sep 11, 2020
ProTip! Advisories are also available from the GraphQL API