Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

106 advisories

Loading
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url Low
GHSA-rp72-5v5q-2446 was published for @cardano402/mcp-server (npm) Jun 26, 2026
MorganOnCode Credited to MorganOnCode
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure) High
GHSA-v52w-28xh-v562 was published for @kozou/api (npm) Jun 19, 2026
undici WebSocket client vulnerable to denial of service via fragment count bypass High
CVE-2026-12151 was published for undici (npm) Jun 19, 2026
lpinca Credited to lpinca, Nadav0077, and UlisesGascon Nadav0077 Nadav0077
UlisesGascon UlisesGascon
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass High
CVE-2026-9675 was published for undici (npm) Jun 18, 2026
mauriceng98 Credited to mauriceng98, Str1ckl4nd, mcollina, and UlisesGascon Str1ckl4nd Str1ckl4nd
mcollina mcollina UlisesGascon UlisesGascon
OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation Moderate
CVE-2026-54285 was published for @opentelemetry/core (npm) Jun 15, 2026
tonghuaroot Credited to tonghuaroot, pichlermarc, trentm, and arminru pichlermarc pichlermarc
trentm trentm arminru arminru
protobufjs: Memory amplification from preserved unknown fields in binary decode Moderate
CVE-2026-54270 was published for protobufjs (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dcodeIO dcodeIO dcodeIO
ws: Memory exhaustion DoS from tiny fragments and data chunks High
CVE-2026-48779 was published for ws (npm) Jun 15, 2026
Nadav0077 Credited to Nadav0077
Allocation of Resources Without Limits or Throttling in Axios High
CVE-2026-44488 was published for axios (npm) Jun 4, 2026
asadeddin Credited to asadeddin
image-size Denial of Service via Infinite Loop during Image Processing High
CVE-2025-71319 was published for image-size (npm) Apr 2, 2025
dellalibera Credited to dellalibera and TheFrankemon TheFrankemon TheFrankemon
Svelte devalue: DoS via sparse array deserialization High
CVE-2026-42570 was published for devalue (npm) May 14, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, dummdidumm, and kq5y dummdidumm dummdidumm
kq5y kq5y
Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution High
CVE-2026-34148 was published for @fedify/fedify (npm) Apr 7, 2026
wrathsec Credited to wrathsec
OpenClaw: Voice-call realtime WebSocket accepted oversized frames High
CVE-2026-42437 was published for openclaw (npm) Apr 17, 2026
G0odUser Credited to G0odUser
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure High
CVE-2026-32062 was published for @openclaw/voice-call (npm) Mar 2, 2026
jiseoung Credited to jiseoung
React Router vulnerable to Denial of Service via reflected user input in single-fetch High
CVE-2026-34077 was published for react-router (npm) Jun 4, 2026
Oceandust Credited to Oceandust
NocoDB: Attachment Size Limit Bypass via Upload-by-URL Low
CVE-2026-46553 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion Moderate
CVE-2026-46551 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components High
CVE-2026-44579 was published for next (npm) May 11, 2026
Next.js has a Denial of Service in the Image Optimization API Moderate
CVE-2026-44577 was published for next (npm) May 11, 2026
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion High
CVE-2026-44004 was published for vm2 (npm) May 7, 2026
koDove Credited to koDove
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering High
CVE-2026-44240 was published for basic-ftp (npm) May 6, 2026
thesmartshadow Credited to thesmartshadow
@vitejs/plugin-rsc has a Denial of Service Vulnerability in React Server Components High
GHSA-w94c-4vhp-22gx was published for @vitejs/plugin-rsc (npm) May 11, 2026
Next.js Vulnerable to Denial of Service with Server Components High
GHSA-8h8q-6873-q5fj was published for next (npm) May 11, 2026
Facebook React has a Denial of Service Vulnerability in React Server Components High
CVE-2026-23870 was published for react-server-dom-parcel (npm) May 11, 2026
@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth High
CVE-2026-7768 was published for @fastify/accepts-serializer (npm) May 8, 2026
yuki-matsuhashi Credited to yuki-matsuhashi and UlisesGascon UlisesGascon UlisesGascon
n8n Vulnerable to Unauthenticated Denial of Service via MCP Client Registration High
CVE-2026-42236 was published for n8n (npm) Apr 29, 2026
ori-ron Credited to ori-ron
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database