Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

21 advisories

Loading
Prototype pollution in nestie Critical
CVE-2021-25947 was published for nestie (npm) Jun 7, 2021
Prototype Pollution in config-handler Critical
CVE-2021-23448 was published for config-handler (npm) Oct 12, 2021
vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host Critical
CVE-2022-36067 was published for vm2 (npm) Sep 28, 2022
oxeye-gal Credited to oxeye-gal, oxeye-yuval, and oxeye-daniel oxeye-yuval oxeye-yuval
oxeye-daniel oxeye-daniel
vm2 vulnerable to sandbox escape Critical
CVE-2023-29017 was published for vm2 (npm) Apr 7, 2023
seongil-wi Credited to seongil-wi and rectcoordsystem rectcoordsystem rectcoordsystem
vm2 Sandbox Escape vulnerability Critical
CVE-2023-29199 was published for vm2 (npm) Apr 12, 2023
leesh3288 Credited to leesh3288
toui allows user-specific variables to be shared between users Critical
CVE-2023-33175 was published for toui (pip) May 24, 2023
TorchServe Pre-Auth Remote Code Execution Critical
GHSA-4mqg-h5jf-j9m7 was published for torchserve (pip) Oct 2, 2023
Remote code execution in pytorch lightning Critical
CVE-2024-5452 was published for lightning (pip) Jun 6, 2024
colbybr Credited to colbybr
n8n Vulnerable to Remote Code Execution via Expression Injection Critical
CVE-2025-68613 was published for n8n (npm) Dec 22, 2025
fatihhcelik Credited to fatihhcelik and yuvalo1212 yuvalo1212 yuvalo1212
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) Critical
CVE-2025-66398 was published for signalk-server (npm) Jan 2, 2026
NoNoNGU Credited to NoNoNGU
vm2 has a Sandbox Escape Critical
CVE-2026-22709 was published for vm2 (npm) Jan 26, 2026
SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor Critical
CVE-2026-23830 was published for @nyariv/sandboxjs (npm) Jan 27, 2026
nyxsorcerer Credited to nyxsorcerer
n8n Has Expression Escape Vulnerability Leading to RCE Critical
CVE-2026-25049 was published for n8n (npm) Feb 4, 2026
fatihhcelik Credited to fatihhcelik, eilonc-pillar, cristianstaicu, sandeepl337, nickcopi, joshft, yadhukrishnam, doyler, zolbooo, and nnfrog eilonc-pillar eilonc-pillar
cristianstaicu cristianstaicu sandeepl337 sandeepl337 nickcopi nickcopi joshft joshft yadhukrishnam yadhukrishnam doyler doyler zolbooo zolbooo nnfrog nnfrog
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names Critical
CVE-2026-33286 was published for graphiti (RubyGems) Mar 20, 2026
doublevoid Credited to doublevoid and simonrand simonrand simonrand
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node Critical
CVE-2026-34156 was published for @nocobase/plugin-workflow-javascript (npm) Mar 30, 2026
onurcangnc Credited to onurcangnc
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection Critical
CVE-2026-44336 was published for PraisonAI (pip) May 11, 2026
amwhoi Credited to amwhoi
vm2 has a Sandbox Escape issue Critical
CVE-2026-47131 was published for vm2 (npm) May 29, 2026
cookesan Credited to cookesan
vm2 is Vulnerable to Sandbox Breakout Through Promise Species Critical
CVE-2026-47208 was published for vm2 (npm) May 29, 2026
XmiliaH Credited to XmiliaH
q1uf3ngONEKEY Credited to q1uf3ngONEKEY
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass Critical
CVE-2026-47210 was published for vm2 (npm) May 29, 2026
RealHurrison Credited to RealHurrison
Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API Critical
CVE-2026-53753 was published for crawl4ai (pip) Jun 16, 2026
q1uf3ng Credited to q1uf3ng, August829, and ntohidi August829 August829
ntohidi ntohidi
ProTip! Advisories are also available from the GraphQL API