Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,857
Maven
5,000+
npm
4,488
NuGet
780
pip
4,243
Pub
12
RubyGems
975
Rust
1,095
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,751 advisories

Loading
Orval Mock Generation Code Injection via const High
CVE-2026-24132 was published for @orval/mock (npm) Jan 22, 2026
k14uz
Credited to k14uz
Seroval affected by Denial of Service via Deeply Nested Objects High
CVE-2026-24006 was published for seroval (npm) Jan 22, 2026
lxsmnsyc tweidinger
Credited to lxsmnsyc and tweidinger
Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass High
CVE-2025-65098 was published for @typebot.io/js (npm) Jan 22, 2026
Deyvi-dev
Credited to Deyvi-dev
Wrangler affected by OS Command Injection in `wrangler pages deploy` High
CVE-2026-0933 was published for wrangler (npm) Jan 21, 2026
yueyueL
Credited to yueyueL
Backstage has a Possible Symlink Path Traversal in Scaffolder Actions High
CVE-2026-24046 was published for @backstage/backend-defaults (npm) Jan 21, 2026
Seroval affected by Denial of Service via Array serialization High
CVE-2026-23957 was published for seroval (npm) Jan 21, 2026
tweidinger lxsmnsyc
Credited to tweidinger and lxsmnsyc
seroval affected by Denial of Service via RegExp serialization High
CVE-2026-23956 was published for seroval (npm) Jan 21, 2026
tweidinger lxsmnsyc
Credited to tweidinger and lxsmnsyc
@envelop/graphql-modules has a Race Condition vulnerability High
GHSA-h3hw-29fv-2x75 was published for @envelop/graphql-modules (npm) Jan 21, 2026
DuckThom enisdenjo
ardatan
Credited to DuckThom, enisdenjo, and ardatan
sm-crypto Affected by Signature Forgery in SM2-DSA High
CVE-2026-23965 was published for sm-crypto (npm) Jan 21, 2026
XlabAITeam
Credited to XlabAITeam
sm-crypto Affected by Signature Malleability in SM2-DSA High
CVE-2026-23967 was published for sm-crypto (npm) Jan 21, 2026
XlabAITeam
Credited to XlabAITeam
seroval Affected by Remote Code Execution via JSON Deserialization High
CVE-2026-23737 was published for seroval (npm) Jan 21, 2026
GabbeV tweidinger
lxsmnsyc
Credited to GabbeV, tweidinger, and lxsmnsyc
seroval Affected by Prototype Pollution via JSON Deserialization High
CVE-2026-23736 was published for seroval (npm) Jan 21, 2026
lxsmnsyc tweidinger
Credited to lxsmnsyc and tweidinger
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS High
CVE-2026-23950 was published for tar (npm) Jan 21, 2026
tomasilluminati
Credited to tomasilluminati
Duplicate Advisory: Wrangler affected by OS Command Injection in `wrangler pages deploy` High
GHSA-8h3q-9fpp-c883 was published for wrangler (npm) Jan 21, 2026 withdrawn
@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding) High
CVE-2026-22037 was published for @fastify/express (npm) Jan 20, 2026
rootxharsh Eomm
mcollina
Credited to rootxharsh, Eomm, and mcollina
Fastify Middie Middleware Path Bypass High
CVE-2026-22031 was published for @fastify/middie (npm) Jan 20, 2026
rootxharsh kamilmysliwiec
Eomm mcollina
Credited to rootxharsh, kamilmysliwiec, Eomm, and mcollina
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization High
CVE-2026-23745 was published for tar (npm) Jan 16, 2026
Jvr2022
Credited to Jvr2022
GraphQL Modules has a Race Condition issue High
CVE-2026-23735 was published for graphql-modules (npm) Jan 16, 2026
DuckThom enisdenjo
ardatan
Credited to DuckThom, enisdenjo, and ardatan
svelte is vulnerable to XSS with textarea bind:value High
GHSA-gw32-9rmw-qwww was published for svelte (npm) Jan 16, 2026
coyotte508 Conduitry
benmccann
Credited to coyotte508, Conduitry, and benmccann
devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse High
CVE-2026-22775 was published for devalue (npm) Jan 15, 2026
jviide elliott-with-the-longest-name-on-github
Rich-Harris
Credited to jviide, elliott-with-the-longest-name-on-github, and Rich-Harris
h3 v1 has Request Smuggling (TE.TE) issue High
CVE-2026-23527 was published for h3 (npm) Jan 15, 2026
simonkoeck
Credited to simonkoeck
@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata) High
CVE-2026-22803 was published for @sveltejs/kit (npm) Jan 15, 2026
hashcoko ottomated
elliott-with-the-longest-name-on-github
Credited to hashcoko, ottomated, and elliott-with-the-longest-name-on-github
Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse High
CVE-2026-22774 was published for devalue (npm) Jan 15, 2026
jviide elliott-with-the-longest-name-on-github
Rich-Harris
Credited to jviide, elliott-with-the-longest-name-on-github, and Rich-Harris
SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering High
CVE-2025-67647 was published for @sveltejs/adapter-node (npm) Jan 15, 2026
cold-try teemingc
benmccann d-xuan
Credited to cold-try, teemingc, benmccann, and d-xuan
html2pdf.js contains a cross-site scripting vulnerability High
CVE-2026-22787 was published for html2pdf.js (npm) Jan 14, 2026
aydinnyunus eKoopmans
Credited to aydinnyunus and eKoopmans
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database