GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
2,155 advisories
Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE
Moderate
GHSA-wxw3-q3m9-c3jr
was published
for
better-auth
(npm)
May 15, 2026
@utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
Moderate
CVE-2026-45366
was published
for
@utcp/http
(npm)
May 14, 2026
Svelte: SSR XSS via Insecure Promise Serialization in hydratable
Moderate
GHSA-f3cj-j4f6-wq85
was published
for
svelte
(npm)
May 14, 2026
electerm's encrypt method not safe enough
Moderate
CVE-2026-45787
was published
for
electerm
(npm)
May 14, 2026
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
Moderate
CVE-2026-42573
was published
for
svelte
(npm)
May 14, 2026
Svelte: ReDoS in `<svelte:element>` Tag Validation
Moderate
CVE-2026-42567
was published
for
svelte
(npm)
May 14, 2026
Open WebUI Has Stored Cross-Site Scripting in SVG Renderer
Moderate
CVE-2026-45346
was published
for
open-webui
(npm)
May 14, 2026
Svelte SSR vulnerable to cross-site scripting via spread attributes
Moderate
CVE-2026-42599
was published
for
svelte
(npm)
May 14, 2026
TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function
Moderate
GHSA-9m65-766c-r333
was published
for
@tanstack/start-server-core
(npm)
May 14, 2026
@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input
Moderate
CVE-2026-42853
was published
for
@apostrophecms/cli
(npm)
May 14, 2026
Strapi Upload Plugin MIME Validation Bypass via Content API
Moderate
CVE-2026-22707
was published
for
@strapi/upload
(npm)
May 14, 2026
Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying
Moderate
CVE-2025-64526
was published
for
@strapi/plugin-users-permissions
(npm)
May 13, 2026
OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover
Moderate
CVE-2026-44720
was published
for
openlearnx
(npm)
May 13, 2026
SillyTavern has a SSRF vulnerability in the CORS proxy middleware
Moderate
CVE-2026-44652
was published
for
sillytavern
(npm)
May 12, 2026
SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware
Moderate
CVE-2026-44651
was published
for
sillytavern
(npm)
May 12, 2026
OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS
Moderate
CVE-2026-42073
was published
for
@gitlawb/openclaude
(npm)
May 12, 2026
protobuf.js: Denial of service from crafted field names in generated code
Moderate
CVE-2026-44294
was published
for
protobufjs
(npm)
May 12, 2026
protobuf.js: Prototype injection in generated message constructors
Moderate
CVE-2026-44292
was published
for
protobufjs
(npm)
May 12, 2026
protobufjs has overlong UTF-8 decoding
Moderate
CVE-2026-44288
was published
for
@protobufjs/utf8
(npm)
May 12, 2026
Mermaid: Improper sanitization of configuration leads to CSS injection
Moderate
CVE-2026-41159
was published
for
mermaid
(npm)
May 11, 2026
Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
Moderate
CVE-2026-41150
was published
for
mermaid
(npm)
May 11, 2026
Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection
Moderate
CVE-2026-41149
was published
for
mermaid
(npm)
May 11, 2026
Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection
Moderate
CVE-2026-41148
was published
for
mermaid
(npm)
May 11, 2026
ProTip!
Advisories are also available from the
GraphQL API