Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,883
Maven
5,000+
npm
4,519
NuGet
784
pip
4,260
Pub
12
RubyGems
975
Rust
1,105
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,440 advisories

Loading
Maker.js has Unsafe Property Copying in makerjs.extendObject Moderate
CVE-2026-24888 was published for makerjs (npm) Jan 29, 2026
hayageek
Credited to hayageek
NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS Moderate
CVE-2026-24766 was published for nocodb (npm) Jan 28, 2026
cp-57
Credited to cp-57
NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality Moderate
CVE-2026-24767 was published for nocodb (npm) Jan 28, 2026
kolega-ai-dev
Credited to kolega-ai-dev
NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter Moderate
CVE-2026-24768 was published for nocodb (npm) Jan 28, 2026
p-
Credited to p-
BrowserStack Local vulnerable to Command Injection through logfile variable Moderate
CVE-2025-57283 was published for browserstack-local (npm) Jan 28, 2026
Hono vulnerable to XSS through ErrorBoundary component Moderate
CVE-2026-24771 was published for hono (npm) Jan 28, 2026
kilkat
Credited to kilkat
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint Moderate
CVE-2025-59472 was published for next (npm) Jan 28, 2026
vlt Mishandles Path Sanitization for tar Moderate
CVE-2026-24909 was published for @vltpkg/tar (npm) Jan 28, 2026
StudioCMS has Authorization Bypass Through User-Controlled Key Moderate
CVE-2026-24134 was published for studiocms (npm) Jan 27, 2026
FilipeGaudard Adammatthiesen
Credited to FilipeGaudard and Adammatthiesen
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration Moderate
CVE-2025-59471 was published for next (npm) Jan 27, 2026
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) Moderate
CVE-2026-24473 was published for hono (npm) Jan 27, 2026
kilkat JungJoonWoo
Credited to kilkat and JungJoonWoo
Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception Moderate
CVE-2026-24472 was published for hono (npm) Jan 27, 2026
simonkoeck
Credited to simonkoeck
Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing Moderate
CVE-2026-24398 was published for hono (npm) Jan 27, 2026
devanshbatham
Credited to devanshbatham
pnpm has Path Traversal via arbitrary file permission modification Moderate
CVE-2026-24131 was published for pnpm (npm) Jan 26, 2026
mldangelo
Credited to mldangelo
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip) Moderate
CVE-2026-23888 was published for pnpm (npm) Jan 26, 2026
mldangelo mgol
Credited to mldangelo and mgol
pnpm has Windows-specific tarball Path Traversal Moderate
CVE-2026-23889 was published for pnpm (npm) Jan 26, 2026
mldangelo
Credited to mldangelo
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin Moderate
CVE-2026-23890 was published for pnpm (npm) Jan 26, 2026
mldangelo
Credited to mldangelo
pnpm has symlink traversal in file:/git dependencies Moderate
CVE-2026-24056 was published for pnpm (npm) Jan 26, 2026
mldangelo
Credited to mldangelo
eslint has a Stack Overflow when serializing objects with circular references Moderate
CVE-2025-50537 was published for eslint (npm) Jan 26, 2026
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions Moderate
CVE-2025-13465 was published for lodash (npm) Jan 21, 2026
lukas-eu ljharb
UlisesGascon falsyvalues jdalton
Credited to lukas-eu, ljharb, UlisesGascon, falsyvalues, and jdalton
@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass Moderate
CVE-2026-24047 was published for @backstage/cli-common (npm) Jan 21, 2026
Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation Moderate
CVE-2026-21852 was published for @anthropic-ai/claude-code (npm) Jan 21, 2026
binary-parser library has a code injection vulnerability Moderate
CVE-2026-1245 was published for binary-parser (npm) Jan 20, 2026
sei-vsarvepalli
Credited to sei-vsarvepalli
Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) Moderate
CVE-2026-23733 was published for @lobehub/chat (npm) Jan 20, 2026
c2an1
Credited to c2an1
Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM Moderate
GHSA-38cw-85xc-xr9x was published for @veramo/data-store (npm) Jan 16, 2026
rekter0
Credited to rekter0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database