GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
32 advisories
@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
Moderate
CVE-2026-35515
was published
for
@nestjs/core
(npm)
Apr 6, 2026
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)
Moderate
GHSA-4hxc-9384-m385
was published
for
h3
(npm)
Mar 20, 2026
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()
Moderate
CVE-2026-29085
was published
for
hono
(npm)
Mar 4, 2026
RediSearch Query Injection in @langchain/langgraph-checkpoint-redis
Moderate
CVE-2026-27022
was published
for
@langchain/langgraph-checkpoint-redis
(npm)
Feb 18, 2026
jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)
Moderate
CVE-2026-24043
was published
for
jspdf
(npm)
Feb 2, 2026
Cocotais Bot has builtin .echo command injection
Moderate
CVE-2025-47948
was published
for
cocotais-bot
(npm)
May 19, 2025
ZX Allows Environment Variable Injection for dotenv API
Moderate
CVE-2025-24959
was published
for
zx
(npm)
Feb 3, 2025
PostCSS line return parsing error
Moderate
CVE-2023-44270
was published
for
postcss
(npm)
Sep 30, 2023
vm2 vulnerable to Inspect Manipulation
Moderate
CVE-2023-32313
was published
for
vm2
(npm)
May 17, 2023
Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type
Moderate
CVE-2022-35948
was published
for
undici
(npm)
Aug 18, 2022
@actions/core has Delimiter Injection Vulnerability in exportVariable
Moderate
CVE-2022-35954
was published
for
@actions/core
(npm)
Aug 18, 2022
ProTip!
Advisories are also available from the
GraphQL API