Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,196
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,483
Pub
12
RubyGems
992
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

404 advisories

Loading
xygeni-action v5 tag poisoned with C2 backdoor Critical
CVE-2026-31976 was published for xygeni/xygeni-action (GitHub Actions) Mar 11, 2026
Nick2bad4u Credited to Nick2bad4u
`polymarket-client-sdks` was removed from crates.io for malicious code Critical
GHSA-p5vf-5754-x7p3 was published for polymarket-client-sdks (Rust) Feb 13, 2026
`sha-rst` was removed from crates.io for malicious code Critical
GHSA-vgr2-r5hm-f6gf was published for sha-rst (Rust) Feb 12, 2026
`finch_cli_rust` was removed from crates.io for malicious code Critical
GHSA-6v2j-vr4h-f632 was published for finch_cli_rust (Rust) Feb 12, 2026
`finch-rst` was removed from crates.io for malicious code Critical
GHSA-xp79-9mxw-878j was published for finch-rst (Rust) Feb 12, 2026
A single post-release of dydx-v4-client contained obfuscated multi-stage loader Critical
GHSA-4f84-67cv-qrv3 was published for dydx-v4-client (pip) Feb 6, 2026
Duplicate Advisory: Malicious versions of Nx were published Critical
GHSA-8mjq-32x3-22qf was published for nx (npm) Sep 25, 2025 withdrawn
is-arrayish@0.3.3 contains malware after npm account takeover High
CVE-2025-59331 was published for is-arrayish (npm) Sep 15, 2025
error-ex@1.3.3 contains malware after npm account takeover High
CVE-2025-59330 was published for error-ex (npm) Sep 15, 2025
color-convert@3.1.1 contains malware after npm account takeover High
CVE-2025-59162 was published for color-convert (npm) Sep 15, 2025
color-name@2.0.1 contains malware after npm account takeover High
CVE-2025-59145 was published for color-name (npm) Sep 15, 2025
debug@4.4.2 contains malware after npm account takeover High
CVE-2025-59144 was published for debug (npm) Sep 15, 2025
color@5.0.1 contains malware after npm account takeover High
CVE-2025-59143 was published for color (npm) Sep 15, 2025
color-string@2.1.1 contains malware after npm account takeover High
CVE-2025-59142 was published for color-string (npm) Sep 15, 2025
simple-swizzle@0.2.3 contains malware after npm account takeover High
CVE-2025-59141 was published for simple-swizzle (npm) Sep 15, 2025
backslash@0.2.1 contains malware after npm account takeover High
CVE-2025-59140 was published for backslash (npm) Sep 15, 2025
MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency Moderate
GHSA-qj3p-xc97-xw74 was published for @metamask/sdk (npm) Sep 15, 2025
Prebid-universal-creative latest on npm briefly compromised Critical
CVE-2025-59039 was published for prebid-universal-creative (npm) Sep 11, 2025
Prebid.js NPM package briefly compromised High
CVE-2025-59038 was published for prebid.js (npm) Sep 11, 2025
DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware High
CVE-2025-59037 was published for @duckdb/duckdb-wasm (npm) Sep 9, 2025
Malicious versions of Nx were published Critical
CVE-2025-10894 was published for @nx/devkit (npm) Aug 27, 2025
jahredhope Credited to jahredhope, tadhglewis, hckhanh, and TimShilov tadhglewis tadhglewis
hckhanh hckhanh TimShilov TimShilov
num2words subjected to phishing attack, two versions published containing malware Critical
GHSA-jxr6-qrxx-2ph2 was published for num2words (pip) Jul 31, 2025
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code High
CVE-2025-54313 was published for @pkgr/core (npm) Jul 19, 2025
Pradoxzon Credited to Pradoxzon
Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2 Critical
CVE-2025-32965 was published for xrpl (npm) Apr 22, 2025
Multiple Reviewdog actions were compromised during a specific time period High
CVE-2025-30154 was published for reviewdog/action-setup (GitHub Actions) Mar 19, 2025
sshayb Credited to sshayb and ramimac ramimac ramimac
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database