Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,827
Maven
5,000+
npm
4,455
NuGet
775
pip
4,219
Pub
12
RubyGems
970
Rust
1,090
Swift
47
Unreviewed advisories
All unreviewed
5,000+

4,456 advisories

Loading
devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse High
CVE-2026-22775 was published for devalue (npm) Jan 15, 2026
jviide elliott-with-the-longest-name-on-github
Rich-Harris
Credited to jviide, elliott-with-the-longest-name-on-github, and Rich-Harris
Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode Low
GHSA-w54x-r83c-x79q was published for pepr (npm) Jan 15, 2026
tghastings
Credited to tghastings
svelte vulnerable to Cross-site Scripting Moderate
CVE-2025-15265 was published for svelte (npm) Jan 15, 2026
elliott-with-the-longest-name-on-github Rich-Harris
Credited to elliott-with-the-longest-name-on-github and Rich-Harris
h3 v1 has Request Smuggling (TE.TE) issue High
CVE-2026-23527 was published for h3 (npm) Jan 15, 2026
simonkoeck
Credited to simonkoeck
@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata) High
CVE-2026-22803 was published for @sveltejs/kit (npm) Jan 15, 2026
hashcoko ottomated
elliott-with-the-longest-name-on-github
Credited to hashcoko, ottomated, and elliott-with-the-longest-name-on-github
Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse High
CVE-2026-22774 was published for devalue (npm) Jan 15, 2026
jviide elliott-with-the-longest-name-on-github
Rich-Harris
Credited to jviide, elliott-with-the-longest-name-on-github, and Rich-Harris
SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering High
CVE-2025-67647 was published for @sveltejs/adapter-node (npm) Jan 15, 2026
cold-try teemingc
benmccann d-xuan
Credited to cold-try, teemingc, benmccann, and d-xuan
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch Low
GHSA-73rr-hh4g-fpgx was published for diff (npm) Jan 14, 2026
guiyi-he ExplodingCabbage
Credited to guiyi-he and ExplodingCabbage
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion Low
CVE-2026-22036 was published for undici (npm) Jan 14, 2026
mcollina illia-v
Credited to mcollina and illia-v
html2pdf.js contains a cross-site scripting vulnerability High
CVE-2026-22787 was published for html2pdf.js (npm) Jan 14, 2026
aydinnyunus eKoopmans
Credited to aydinnyunus and eKoopmans
enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain Critical
CVE-2026-22686 was published for enclave-vm (npm) Jan 14, 2026
Outray cli is vulnerable to race conditions in tunnels creation Moderate
CVE-2026-22820 was published for outray (npm) Jan 13, 2026
gr33pp SENSEiXENUS
Credited to gr33pp and SENSEiXENUS
Outray has a Race Condition in the cli's webapp Moderate
CVE-2026-22819 was published for outray (npm) Jan 13, 2026
SENSEiXENUS gr33pp
Credited to SENSEiXENUS and gr33pp
Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback) High
CVE-2026-22818 was published for hono (npm) Jan 13, 2026
calloc134 devanshbatham
Credited to calloc134 and devanshbatham
Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass High
CVE-2026-22817 was published for hono (npm) Jan 13, 2026
calloc134 devanshbatham
Credited to calloc134 and devanshbatham
Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State High
CVE-2026-22814 was published for @adonisjs/lucid (npm) Jan 13, 2026
wodzen
Credited to wodzen
Malicious website can execute commands on the local system through XSS in the OpenCode web UI Critical
CVE-2026-22813 was published for opencode-ai (npm) Jan 13, 2026
AlbertSPedersen
Credited to AlbertSPedersen
tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability Moderate
CVE-2026-22809 was published for tarteaucitronjs (npm) Jan 13, 2026
Yasha-ops
Credited to Yasha-ops
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution High
CVE-2026-22812 was published for opencode-ai (npm) Jan 13, 2026
CyberShadow
Credited to CyberShadow
Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file Moderate
GHSA-3f44-xw83-3pmg was published for renovate (npm) Jan 13, 2026
astellingwerf
Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via gleam manager and malicious gleam.toml file Moderate
GHSA-xjr7-3c3g-m763 was published for renovate (npm) Jan 13, 2026
astellingwerf
Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies Moderate
GHSA-36j9-mx87-2cff was published for renovate (npm) Jan 13, 2026
astellingwerf
Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via npm manager and malicious Renovate configuration Moderate
GHSA-fr4j-65pv-gjjj was published for renovate (npm) Jan 13, 2026
astellingwerf
Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository Moderate
GHSA-xv56-3wq5-9997 was published for renovate (npm) Jan 13, 2026
astellingwerf
Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious `distributionUrl` Moderate
GHSA-pfq2-hh62-7m96 was published for renovate (npm) Jan 13, 2026
y4rvin
Credited to y4rvin
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database