Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

31 advisories

Loading
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE High
CVE-2026-42211 was published for react-router (npm) Jun 3, 2026
SM41ldRag0n Credited to SM41ldRag0n
TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function Moderate
GHSA-9m65-766c-r333 was published for @tanstack/start-server-core (npm) May 14, 2026
mufeedvh Credited to mufeedvh
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning High
CVE-2026-45134 was published for langchain (npm) May 13, 2026
Moaaz-0x Credited to Moaaz-0x and berardinellidaniele berardinellidaniele berardinellidaniele
React Server Components have a Denial of Service Vulnerability High
CVE-2026-23869 was published for react-server-dom-parcel (npm) Apr 10, 2026
Replicator deserializes untrusted user input Moderate
CVE-2026-2265 was published for replicator (npm) Apr 1, 2026
Qwik vulnerable to Unauthenticated RCE via server$ Deserialization Critical
CVE-2026-27971 was published for @builder.io/qwik (npm) Mar 2, 2026
sebastianosrt Credited to sebastianosrt
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components High
GHSA-h25m-26qc-wcjf was published for next (npm) Jan 28, 2026
seroval Affected by Remote Code Execution via JSON Deserialization High
CVE-2026-23737 was published for seroval (npm) Jan 21, 2026
GabbeV Credited to GabbeV, tweidinger, and lxsmnsyc tweidinger tweidinger
lxsmnsyc lxsmnsyc
LangChain serialization injection vulnerability enables secret extraction High
CVE-2025-68665 was published for @langchain/core (npm) Dec 23, 2025
eyurtsev Credited to eyurtsev, ccurme, mdrxy, 0xn3va, yardenporat353, VladimirEliTokarev, hntrl, siewer, and jacoblee93 ccurme ccurme
mdrxy mdrxy 0xn3va 0xn3va yardenporat353 yardenporat353 VladimirEliTokarev VladimirEliTokarev hntrl hntrl siewer siewer jacoblee93 jacoblee93
Withdrawn Advisory: LikeC4 has RCE through vulnerable React and Next.js versions Critical
GHSA-vr6p-vq2p-6j74 was published for likec4 (npm) Dec 15, 2025 withdrawn
fnuttens Credited to fnuttens and davydkov davydkov davydkov
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up High
GHSA-5j59-xgg2-r9c4 was published for next (npm) Dec 12, 2025
xpertforextradeinc Credited to xpertforextradeinc
Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components Moderate
GHSA-c6m7-q6pr-c64r was published for @vitejs/plugin-rsc (npm) Dec 12, 2025
Vite Plugin React has a Denial of Service Vulnerability in React Server Components High
GHSA-cpqf-f22c-r95x was published for @vitejs/plugin-rsc (npm) Dec 12, 2025
Denial of Service Vulnerability in React Server Components High
CVE-2025-67779 was published for react-server-dom-parcel (npm) Dec 12, 2025
Next Server Actions Source Code Exposure Moderate
GHSA-w37m-7fhw-fmv9 was published for next (npm) Dec 11, 2025
Next Vulnerable to Denial of Service with Server Components High
GHSA-mwv6-3258-q52c was published for next (npm) Dec 11, 2025
Ry0taK Credited to Ry0taK
Denial of Service Vulnerability in React Server Components High
CVE-2025-55184 was published for react-server-dom-parcel (npm) Dec 11, 2025
Ry0taK Credited to Ry0taK
Source Code Exposure Vulnerability in React Server Components Moderate
CVE-2025-55183 was published for react-server-dom-parcel (npm) Dec 11, 2025
React Server Components are Vulnerable to RCE Critical
GHSA-fmh4-wr37-44fp was published for @vitejs/plugin-rsc (npm) Dec 3, 2025
React Server Components are Vulnerable to RCE Critical
CVE-2025-55182 was published for react-server-dom-parcel (npm) Dec 3, 2025
lachlan2k Credited to lachlan2k, PiotrBorowski, nozo-moto, leogasparini, mtorp, mnahkies, mswilson, and AsapHogFtw PiotrBorowski PiotrBorowski
nozo-moto nozo-moto leogasparini leogasparini mtorp mtorp mnahkies mnahkies mswilson mswilson AsapHogFtw AsapHogFtw
Next.js is vulnerable to RCE in React flight protocol Critical
GHSA-9qr9-h5gf-34mp was published for next (npm) Dec 3, 2025
lachlan2k Credited to lachlan2k, bytera, larskaare, mswilson, conorfitch, tockn, yusuke-koyoshi, bottarocarlo, and jcburgo bytera bytera
larskaare larskaare mswilson mswilson conorfitch conorfitch tockn tockn yusuke-koyoshi yusuke-koyoshi bottarocarlo bottarocarlo jcburgo jcburgo
kurwov vulnerable to Denial of Service due to improper data sanitization Moderate
CVE-2024-34075 was published for kurwov (npm) May 3, 2024
SuperchupuDev Credited to SuperchupuDev
replicator vulnerable to Deserialization of Untrusted Data Critical
CVE-2021-33420 was published for replicator (npm) Dec 15, 2022
Unsanitized JavaScript code injection possible in gatsby-plugin-mdx High
CVE-2022-25863 was published for gatsby-plugin-mdx (npm) Jun 3, 2022
Deserialization of Untrusted Data in bson Moderate
CVE-2019-2391 was published for bson (npm) Feb 10, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database