Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

411 advisories

Loading
NocoDB: Missing Ownership Check in MCP Attachment Read Low
CVE-2026-47388 was published for nocodb (npm) Jun 5, 2026
helwor-01 Credited to helwor-01
NocoDB: User Enumeration via Sign-In Timing Low
CVE-2026-47380 was published for nocodb (npm) Jun 5, 2026
AndyAnh174 Credited to AndyAnh174
Summarize contains a missing authorization vulnerability Low
CVE-2026-45244 was published for @steipete/summarize (npm) May 18, 2026
vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter Low
GHSA-q3fm-4wcw-g57x was published for vm2 (npm) May 29, 2026
fg0x0 Credited to fg0x0
@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue Low
CVE-2026-8769 was published for @ai-sdk/provider-utils (npm) May 18, 2026
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix Low
CVE-2026-44489 was published for axios (npm) May 29, 2026
@kilocode/cli Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor Low
CVE-2026-8766 was published for @kilocode/cli (npm) May 18, 2026
NocoDB: Stale Auth Cache After API Token Deletion Low
CVE-2026-46554 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Attachment Size Limit Bypass via Upload-by-URL Low
CVE-2026-46553 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation Low
CVE-2026-46549 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
@tootallnate/once vulnerable to Incorrect Control Flow Scoping Low
CVE-2026-3449 was published for @tootallnate/once (npm) Mar 3, 2026
janpe Credited to janpe, mpsijm, orien, danez, jusemon, apepper, omgovich, siddharth-kumra, and gbatterbee mpsijm mpsijm
orien orien danez danez jusemon jusemon apepper apepper omgovich omgovich siddharth-kumra siddharth-kumra gbatterbee gbatterbee
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()` Low
CVE-2026-47099 was published for telejson (npm) Apr 2, 2026
Niccolo10 Credited to Niccolo10
pm2 Regular Expression Denial of Service vulnerability Low
CVE-2025-5891 was published for pm2 (npm) Jun 9, 2025
mhassan1 Credited to mhassan1 and corridormatt corridormatt corridormatt
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning Low
CVE-2026-46342 was published for @nuxt/nitro-server (npm) May 19, 2026
fancymalware Credited to fancymalware
Turbo: Unexpected local code execution during Yarn Berry detection Low
CVE-2026-45772 was published for @turbo/codemod (npm) May 19, 2026
OpenClaw: Isolated cron awareness events were recorded as trusted system events Low
CVE-2026-44999 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp Low
GHSA-jgg6-4rpr-wfh7 was published for @mistralai/mistralai (npm) May 18, 2026
jean-malo Credited to jean-malo
Duplicate Advisory: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners Low
GHSA-p3pv-c954-9m6f was published for openclaw (npm) May 11, 2026 withdrawn
Duplicate Advisory: OpenClaw's ACP child sessions inherit subagent security envelope constraints Low
GHSA-w626-296m-8f85 was published for openclaw (npm) May 11, 2026 withdrawn
Sveltia CMS: Stored XSS in entry summary rendering via entity-decoded HTML Low
GHSA-97r8-rf7q-wmjw was published for @sveltia/cms (npm) May 18, 2026
blacksolo1 Credited to blacksolo1
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect) Low
CVE-2026-44589 was published for nuxt-og-image (npm) May 7, 2026
b-hermes Credited to b-hermes
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions Low
CVE-2026-22706 was published for @strapi/admin (npm) May 13, 2026
zaddy6 Credited to zaddy6, arthurgervais, derrickmehaffy, AndyAnh174, and Aastha2602 arthurgervais arthurgervais
derrickmehaffy derrickmehaffy AndyAnh174 AndyAnh174 Aastha2602 Aastha2602
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties Low
GHSA-mwv9-gp5h-frr4 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, wim-vercel, mattiasljungstrom, and Wenxin-Jiang KarimPwnz KarimPwnz
wim-vercel wim-vercel mattiasljungstrom mattiasljungstrom Wenxin-Jiang Wenxin-Jiang
Astro: Server island encrypted parameters vulnerable to cross-component replay Low
CVE-2026-45028 was published for astro (npm) May 13, 2026
Popax21 Credited to Popax21
Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting Low
CVE-2026-44582 was published for next (npm) May 11, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database