GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,059 advisories
sm-crypto Affected by Private Key Recovery in SM2-PKE
Critical
CVE-2026-23966
was published
for
sm-crypto
(npm)
Jan 21, 2026
Orval has a code injection via unsanitized x-enum-descriptions in enum generation
Critical
CVE-2026-23947
was published
for
@orval/core
(npm)
Jan 21, 2026
REC in MCPJam inspector due to HTTP Endpoint exposes
Critical
CVE-2026-23744
was published
for
@mcpjam/inspector
(npm)
Jan 16, 2026
Malicious website can execute commands on the local system through XSS in the OpenCode web UI
Critical
CVE-2026-22813
was published
for
opencode-ai
(npm)
Jan 13, 2026
orval MCP client is vulnerable to a code injection attack.
Critical
CVE-2026-22785
was published
for
@orval/mcp
(npm)
Jan 13, 2026
React Router has Path Traversal in File Session Storage
Critical
CVE-2025-61686
was published
for
@react-router/node
(npm)
Jan 8, 2026
n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling
Critical
CVE-2026-21858
was published
for
n8n
(npm)
Jan 7, 2026
n8n Vulnerable to RCE via Arbitrary File Write
Critical
CVE-2026-21877
was published
for
n8n
(npm)
Jan 6, 2026
jsPDF has Local File Inclusion/Path Traversal vulnerability
Critical
CVE-2025-68428
was published
for
jspdf
(npm)
Jan 5, 2026
AdonisJS Path Traversal in Multipart File Handling
Critical
CVE-2026-21440
was published
for
@adonisjs/bodyparser
(npm)
Jan 2, 2026
Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling
Critical
CVE-2025-68620
was published
for
signalk-server
(npm)
Jan 2, 2026
n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node
Critical
CVE-2025-68668
was published
for
n8n
(npm)
Dec 26, 2025
n8n Vulnerable to Remote Code Execution via Expression Injection
Critical
CVE-2025-68613
was published
for
n8n
(npm)
Dec 22, 2025
Withdrawn Advisory: LikeC4 has RCE through vulnerable React and Next.js versions
Critical
GHSA-vr6p-vq2p-6j74
was published
for
likec4
(npm)
Dec 15, 2025
•
withdrawn
Elysia vulnerable to prototype pollution with multiple standalone schema validation
Critical
CVE-2025-66456
was published
for
elysia
(npm)
Dec 9, 2025
@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
Critical
CVE-2025-67489
was published
for
@vitejs/plugin-rsc
(npm)
Dec 8, 2025
n8n vulnerable to Remote Code Execution via Git Node Custom Pre-Commit Hook
Critical
CVE-2025-65964
was published
for
n8n
(npm)
Dec 8, 2025
React Server Components are Vulnerable to RCE
Critical
CVE-2025-55182
was published
for
react-server-dom-parcel
(npm)
Dec 3, 2025
Next.js is vulnerable to RCE in React flight protocol
Critical
GHSA-9qr9-h5gf-34mp
was published
for
next
(npm)
Dec 3, 2025
MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL
Critical
CVE-2025-66401
was published
for
mcp-watch
(npm)
Dec 2, 2025
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
Critical
CVE-2025-65108
was published
for
md-to-pdf
(npm)
Nov 20, 2025
ProTip!
Advisories are also available from the
GraphQL API