Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,857
Maven
5,000+
npm
4,488
NuGet
780
pip
4,243
Pub
12
RubyGems
975
Rust
1,095
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,059 advisories

Loading
sm-crypto Affected by Private Key Recovery in SM2-PKE Critical
CVE-2026-23966 was published for sm-crypto (npm) Jan 21, 2026
XlabAITeam
Credited to XlabAITeam
Orval has a code injection via unsanitized x-enum-descriptions in enum generation Critical
CVE-2026-23947 was published for @orval/core (npm) Jan 21, 2026
k14uz ZipJo
Credited to k14uz and ZipJo
flat vulnerable to Prototype Pollution Critical
CVE-2020-36632 was published for flat (npm) Dec 25, 2022
REC in MCPJam inspector due to HTTP Endpoint exposes Critical
CVE-2026-23744 was published for @mcpjam/inspector (npm) Jan 16, 2026
c2an1
Credited to c2an1
jsPDF has Local File Inclusion/Path Traversal vulnerability Critical
CVE-2025-68428 was published for jspdf (npm) Jan 5, 2026
kilkat
Credited to kilkat
Sandbox Breakout / Arbitrary Code Execution in localeval Critical
GHSA-mmqv-m45h-q2hp was published for localeval (npm) Sep 4, 2020
progval
Credited to progval
enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain Critical
CVE-2026-22686 was published for enclave-vm (npm) Jan 14, 2026
Malicious website can execute commands on the local system through XSS in the OpenCode web UI Critical
CVE-2026-22813 was published for opencode-ai (npm) Jan 13, 2026
AlbertSPedersen
Credited to AlbertSPedersen
orval MCP client is vulnerable to a code injection attack. Critical
CVE-2026-22785 was published for @orval/mcp (npm) Jan 13, 2026
nirhaas
Credited to nirhaas
n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling Critical
CVE-2026-21858 was published for n8n (npm) Jan 7, 2026
dorattias
Credited to dorattias
React Router has Path Traversal in File Session Storage Critical
CVE-2025-61686 was published for @react-router/node (npm) Jan 8, 2026
zaddy6
Credited to zaddy6
n8n Vulnerable to Remote Code Execution via Expression Injection Critical
CVE-2025-68613 was published for n8n (npm) Dec 22, 2025
fatihhcelik yuvalo1212
Credited to fatihhcelik and yuvalo1212
n8n Vulnerable to RCE via Arbitrary File Write Critical
CVE-2026-21877 was published for n8n (npm) Jan 6, 2026
theolelasseux
Credited to theolelasseux
vm2 Sandbox Escape vulnerability Critical
CVE-2023-37466 was published for vm2 (npm) Jul 13, 2023
leesh3288
Credited to leesh3288
n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node Critical
CVE-2025-68668 was published for n8n (npm) Dec 26, 2025
berkdedekarginoglu VladimirEliTokarev
Ofekitach
Credited to berkdedekarginoglu, VladimirEliTokarev, and Ofekitach
AdonisJS Path Traversal in Multipart File Handling Critical
CVE-2026-21440 was published for @adonisjs/bodyparser (npm) Jan 2, 2026
wodzen
Credited to wodzen
Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling Critical
CVE-2025-68620 was published for signalk-server (npm) Jan 2, 2026
atsc11
Credited to atsc11
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) Critical
CVE-2025-66398 was published for signalk-server (npm) Jan 2, 2026
apidoc-core has a prototype pollution vulnerability Critical
CVE-2025-13158 was published for apidoc-core (npm) Dec 26, 2025
plotly.js prototype pollution vulnerability Critical
CVE-2023-46308 was published for plotly.js (Composer) Jan 3, 2024
Withdrawn Advisory: LikeC4 has RCE through vulnerable React and Next.js versions Critical
GHSA-vr6p-vq2p-6j74 was published for likec4 (npm) Dec 15, 2025 withdrawn
fnuttens davydkov
Credited to fnuttens and davydkov
Node-SAML SAML Authentication Bypass Critical
CVE-2025-54369 was published for @node-saml/node-saml (npm) Jul 25, 2025
ahacker1-securesaml cjbarth
Credited to ahacker1-securesaml and cjbarth
Next.js is vulnerable to RCE in React flight protocol Critical
GHSA-9qr9-h5gf-34mp was published for next (npm) Dec 3, 2025
lachlan2k bytera
larskaare mswilson conorfitch tockn yusuke-koyoshi bottarocarlo jcburgo
Credited to lachlan2k, bytera, larskaare, mswilson, conorfitch, tockn, yusuke-koyoshi, bottarocarlo, and jcburgo
React Server Components are Vulnerable to RCE Critical
GHSA-fmh4-wr37-44fp was published for @vitejs/plugin-rsc (npm) Dec 3, 2025
@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server Critical
CVE-2025-67489 was published for @vitejs/plugin-rsc (npm) Dec 8, 2025
xdavidhu Ry0taK
Credited to xdavidhu and Ry0taK
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database