Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,795 advisories

Loading
CediPay Affected by Improper Input Validation in Payment Processing High
CVE-2026-26063 was published for cedipay-core (npm) Feb 12, 2026
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls High
CVE-2025-14874 was published for nodemailer (npm) Dec 1, 2025
uko3211
Credited to uko3211
jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions High
CVE-2026-1615 was published for jsonpath (npm) Feb 9, 2026
saivarun3407
Credited to saivarun3407
fast-xml-parser has RangeError DoS Numeric Entities Bug High
CVE-2026-25128 was published for fast-xml-parser (npm) Jan 30, 2026
mistersiddd
Credited to mistersiddd
Path Traversal in angular-http-server High
GHSA-vmhw-fhj6-m3g5 was published for angular-http-server (npm) May 31, 2019
sunnypatell
Credited to sunnypatell
Improper handling of multiline messages in node-irc High
GHSA-52rh-5rpj-c3w6 was published for matrix-org-irc (npm) May 5, 2022
kurt-r2c sunnypatell
Credited to kurt-r2c and sunnypatell
FUXA allows Remote Code Execution (RCE) via the project import functionality. High
CVE-2025-69983 was published for fuxa-server (npm) Feb 3, 2026
Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule High
CVE-2025-67750 was published for lightning-flow-scanner (npm) Dec 12, 2025
CamilleGuillory RubenHalman
Credited to CamilleGuillory and RubenHalman
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion High
CVE-2025-15284 was published for qs (npm) Dec 30, 2025
samipmainali ljharb
Credited to samipmainali and ljharb
FUXA contains an Unrestricted File Upload vulnerability High
CVE-2025-69981 was published for fuxa-server (npm) Feb 3, 2026
FUXA Affected by a Path Traversal Sanitization Bypass High
CVE-2026-25951 was published for fuxa-server (npm) Feb 10, 2026
h1dr1
Credited to h1dr1
Cube Core is vulnerable to privilege escalation via a specially crafted request High
CVE-2026-25958 was published for @cubejs-backend/server-core (npm) Feb 10, 2026
ovr
Credited to ovr
FUXA contains an insecure default configuration vulnerability High
CVE-2025-69970 was published for fuxa-server (npm) Feb 3, 2026
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig High
CVE-2026-25639 was published for axios (npm) Feb 9, 2026
hackerman70000
Credited to hackerman70000
@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse High
CVE-2026-25536 was published for @modelcontextprotocol/sdk (npm) Feb 4, 2026
gh-arpeet ahabian
Credited to gh-arpeet and ahabian
godot-mcp has Command Injection via unsanitized projectPath High
CVE-2026-25546 was published for @coding-solo/godot-mcp (npm) Feb 4, 2026
TianYu-0829 wcole3
Coding-Solo
Credited to TianYu-0829, wcole3, and Coding-Solo
AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection High
CVE-2026-25762 was published for @adonisjs/bodyparser (npm) Feb 6, 2026
ZeroXJacks
Credited to ZeroXJacks
AdonisJS multipart body parsing has Prototype Pollution issue High
CVE-2026-25754 was published for @adonisjs/bodyparser (npm) Feb 6, 2026
RomainLanz
Credited to RomainLanz
Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability High
CVE-2026-0775 was published for npm (npm) Jan 23, 2026 withdrawn
Mauripache
Credited to Mauripache
OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply High
CVE-2026-25593 was published for openclaw (npm) Feb 4, 2026
hackerman70000
Credited to hackerman70000
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json High
CVE-2026-25725 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions High
CVE-2026-25723 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection High
CVE-2026-25722 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
@isaacs/brace-expansion has Uncontrolled Resource Consumption High
CVE-2026-25547 was published for @isaacs/brace-expansion (npm) Feb 3, 2026
Jvr2022 intrigus-lgtm
Credited to Jvr2022 and intrigus-lgtm
Mongoose search injection vulnerability High
CVE-2024-53900 was published for mongoose (npm) Dec 2, 2024
balles skrtheboss
ljharb
Credited to balles, skrtheboss, and ljharb
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database