GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
59 advisories
Filter by severity
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
High
CVE-2026-35633
was published
for
openclaw
(npm)
Mar 26, 2026
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
High
GHSA-v52w-28xh-v562
was published
for
@kozou/api
(npm)
Jun 19, 2026
undici WebSocket client vulnerable to denial of service via fragment count bypass
High
CVE-2026-12151
was published
for
undici
(npm)
Jun 19, 2026
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
High
CVE-2026-9675
was published
for
undici
(npm)
Jun 18, 2026
ws: Memory exhaustion DoS from tiny fragments and data chunks
High
CVE-2026-48779
was published
for
ws
(npm)
Jun 15, 2026
Allocation of Resources Without Limits or Throttling in Axios
High
CVE-2026-44488
was published
for
axios
(npm)
Jun 4, 2026
image-size Denial of Service via Infinite Loop during Image Processing
High
CVE-2025-71319
was published
for
image-size
(npm)
Apr 2, 2025
Svelte devalue: DoS via sparse array deserialization
High
CVE-2026-42570
was published
for
devalue
(npm)
May 14, 2026
Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution
High
CVE-2026-34148
was published
for
@fedify/fedify
(npm)
Apr 7, 2026
OpenClaw: Voice-call realtime WebSocket accepted oversized frames
High
CVE-2026-42437
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure
High
CVE-2026-32062
was published
for
@openclaw/voice-call
(npm)
Mar 2, 2026
React Router vulnerable to Denial of Service via reflected user input in single-fetch
High
CVE-2026-34077
was published
for
react-router
(npm)
Jun 4, 2026
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
High
CVE-2026-44579
was published
for
next
(npm)
May 11, 2026
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
High
CVE-2026-44004
was published
for
vm2
(npm)
May 7, 2026
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
High
CVE-2026-44240
was published
for
basic-ftp
(npm)
May 6, 2026
@vitejs/plugin-rsc has a Denial of Service Vulnerability in React Server Components
High
GHSA-w94c-4vhp-22gx
was published
for
@vitejs/plugin-rsc
(npm)
May 11, 2026
Next.js Vulnerable to Denial of Service with Server Components
High
GHSA-8h8q-6873-q5fj
was published
for
next
(npm)
May 11, 2026
Facebook React has a Denial of Service Vulnerability in React Server Components
High
CVE-2026-23870
was published
for
react-server-dom-parcel
(npm)
May 11, 2026
@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth
High
CVE-2026-7768
was published
for
@fastify/accepts-serializer
(npm)
May 8, 2026
n8n Vulnerable to Unauthenticated Denial of Service via MCP Client Registration
High
CVE-2026-42236
was published
for
n8n
(npm)
Apr 29, 2026
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
High
CVE-2026-27601
was published
for
underscore
(npm)
Mar 3, 2026
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
High
CVE-2026-40879
was published
for
@nestjs/microservices
(npm)
Apr 14, 2026
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
High
CVE-2025-68272
was published
for
signalk-server
(npm)
Jan 2, 2026
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
High
CVE-2026-41324
was published
for
basic-ftp
(npm)
Apr 16, 2026
MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport
High
CVE-2026-39313
was published
for
mcp-framework
(npm)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API