Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,469 advisories

Loading
beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS) Moderate
CVE-2026-26226 was published for beautiful-mermaid (npm) Feb 13, 2026
Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site Moderate
GHSA-w5cr-2qhr-jqc5 was published for agents (npm) Feb 13, 2026
Child processes spawned by Renovate incorrectly have full access to environment variables Moderate
GHSA-8wc6-vgrq-x6cf was published for renovate (npm) Feb 13, 2026
viceice
Credited to viceice
Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler Moderate
CVE-2026-1721 was published for agents (npm) Feb 13, 2026
markdown-it is has a Regular Expression Denial of Service (ReDoS) Moderate
CVE-2026-2327 was published for markdown-it (npm) Feb 12, 2026
Directus Vulnerable to User Enumeration via Password Reset Timing Attack Moderate
CVE-2026-26185 was published for @directus/api (npm) Feb 12, 2026
DenizParlak
Credited to DenizParlak
@farmfe/core is Missing Origin Validation in WebSocket Moderate
CVE-2025-56647 was published for @farmfe/core (npm) Feb 12, 2026
cap-go/capacitor-native-biometric Authentication Bypass Moderate
GHSA-vx5f-vmr6-32wf was published for @capgo/capacitor-native-biometric (npm) Feb 10, 2026
itz-d0dgy-2nd
Credited to itz-d0dgy-2nd
@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation Moderate
CVE-2026-26019 was published for @langchain/community (npm) Feb 11, 2026
kpanuragh hntrl
Credited to kpanuragh and hntrl
nanotar is vulnerable to path traversal in parseTar() and parseTarGzip() Moderate
CVE-2025-69874 was published for nanotar (npm) Feb 11, 2026
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data) Moderate
CVE-2026-25155 was published for @builder.io/qwik-city (npm) Feb 3, 2026
Cube Core is vulnerable to Denial of Service (DoS) via crafted request Moderate
CVE-2026-25957 was published for @cubejs-backend/server-core (npm) Feb 10, 2026
ovr
Credited to ovr
unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command) Moderate
CVE-2026-25918 was published for @rage-against-the-pixel/unity-cli (npm) Feb 10, 2026
mcp-maigret vulnerable to command injection Moderate
CVE-2026-2130 was published for mcp-maigret (npm) Feb 8, 2026
LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection Moderate
CVE-2026-25528 was published for langsmith (npm) Feb 9, 2026
payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments) Moderate
CVE-2026-25574 was published for payload (npm) Feb 5, 2026
s2ongmo
Credited to s2ongmo
Sandbox escape via infinite recursion and error objects Moderate
CVE-2026-25533 was published for @enclave-vm/core (npm) Feb 5, 2026
cristianstaicu frontegg-david
Credited to cristianstaicu and frontegg-david
n8n's domain allowlist bypass enables credential exfiltration Moderate
CVE-2026-25631 was published for n8n (npm) Feb 4, 2026
weblover12
Credited to weblover12
SCEditor has DOM XSS via emoticon URL/HTML injection Moderate
CVE-2026-25581 was published for sceditor (npm) Feb 6, 2026
sofianeelhor
Credited to sofianeelhor
client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect Moderate
CVE-2026-25651 was published for client-certificate-auth (npm) Feb 6, 2026
mdast-util-to-hast has unsanitized class attribute Moderate
CVE-2025-66400 was published for mdast-util-to-hast (npm) Dec 2, 2025
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint Moderate
CVE-2025-59472 was published for next (npm) Jan 28, 2026
cylewaitforit
Credited to cylewaitforit
JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js Moderate
CVE-2025-61140 was published for jsonpath (npm) Jan 28, 2026
gabrielmendes98
Credited to gabrielmendes98
KaTeX's maxExpand bypassed by `\edef` Moderate
CVE-2024-28243 was published for katex (npm) Mar 25, 2024
jupenur edemaine
Wenxin-Jiang
Credited to jupenur, edemaine, and Wenxin-Jiang
OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction Moderate
CVE-2026-25475 was published for openclaw (npm) Feb 4, 2026
jasonsutter87 evanotero
Credited to jasonsutter87 and evanotero
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database