Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,026
Maven
5,000+
npm
4,763
NuGet
824
pip
4,366
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,520 advisories

Loading
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader Moderate
CVE-2026-27795 was published for @langchain/community (npm) Feb 25, 2026
r3dbrothers hntrl
Credited to r3dbrothers and hntrl
Angular SSR has an Open Redirect via X-Forwarded-Prefix Moderate
CVE-2026-27738 was published for @angular/ssr (npm) Feb 25, 2026
alan-agius4 josephperrott
securityMB AndrewKushnir dgp1130 VenkatKwest
Credited to alan-agius4, josephperrott, securityMB, AndrewKushnir, dgp1130, and VenkatKwest
Astro has memory exhaustion DoS due to missing request body size limit in Server Actions Moderate
CVE-2026-27729 was published for @astrojs/node (npm) Feb 25, 2026
pHo9UBenaA
Credited to pHo9UBenaA
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize Moderate
CVE-2026-27829 was published for @astrojs/node (npm) Feb 25, 2026
pHo9UBenaA
Credited to pHo9UBenaA
repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard Moderate
CVE-2026-27612 was published for repostat (npm) Feb 25, 2026
denpiligrim
Credited to denpiligrim
Astro has Full-Read SSRF in error rendering via Host: header injection Moderate
CVE-2026-25545 was published for @astrojs/node (npm) Feb 23, 2026
Aikido-Security reindaelman
JorianWoltjer grumpinout1
Credited to Aikido-Security, reindaelman, JorianWoltjer, and grumpinout1
Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads Moderate
CVE-2026-27567 was published for payload (npm) Feb 24, 2026
r3dbrothers
Credited to r3dbrothers
bn.js affected by an infinite loop Moderate
CVE-2026-2739 was published for bn.js (npm) Feb 20, 2026
richardsimko jochenschmich-aeberle
Credited to richardsimko and jochenschmich-aeberle
ajv has ReDoS when using `$data` option Moderate
CVE-2025-69873 was published for ajv (npm) Feb 11, 2026
epoberezkin G-Rath
wayne530
Credited to epoberezkin, G-Rath, and wayne530
Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused Moderate
CVE-2026-27492 was published for lettermint (npm) Feb 20, 2026
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs Moderate
CVE-2026-27576 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw hardened cron webhook delivery against SSRF Moderate
CVE-2026-27488 was published for openclaw (npm) Feb 20, 2026
Adam55A-code
Credited to Adam55A-code
OpenClaw: Reject symlinks in local skill packaging script Moderate
CVE-2026-27485 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup Moderate
CVE-2026-27486 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
Pannellum has a XSS vulnerability in hot spot attributes Moderate
CVE-2026-27210 was published for pannellum (npm) Feb 19, 2026
lumin9ry SUT0L
Visvge
Credited to lumin9ry, SUT0L, and Visvge
Svelte SSR attribute spreading includes inherited properties from prototype chain Moderate
CVE-2026-27125 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Svelte SSR does not validate dynamic element tag names in `<svelte:element>` Moderate
CVE-2026-27122 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Svelte affected by cross-site scripting via spread attributes in Svelte SSR Moderate
CVE-2026-27121 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Svelte affected by XSS in SSR `<option>` element Moderate
CVE-2026-27119 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Cache poisoning in @sveltejs/adapter-vercel Moderate
CVE-2026-27118 was published for @sveltejs/adapter-vercel (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
RediSearch Query Injection in @langchain/langgraph-checkpoint-redis Moderate
CVE-2026-27022 was published for @langchain/langgraph-checkpoint-redis (npm) Feb 18, 2026
yardenporat353 hntrl
Credited to yardenporat353 and hntrl
Sync-in Server has a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2025-67438 was published for @sync-in/server (npm) Feb 20, 2026
url-parse Incorrectly parses URLs that include an '@' Moderate
CVE-2022-0639 was published for url-parse (npm) Feb 18, 2022
Haxatron ljharb
Credited to Haxatron and ljharb
Authorization bypass in url-parse Moderate
CVE-2022-0512 was published for url-parse (npm) Feb 15, 2022
ljharb
Credited to ljharb
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection Moderate
CVE-2026-27009 was published for openclaw (npm) Feb 18, 2026
Adam55A-code
Credited to Adam55A-code
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database