Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

583 advisories

Loading
ThingsBoard contains a prototype pollution vulnerability which may lead to arbitrary code... High Unreviewed
CVE-2026-53676 was published Jun 18, 2026
n8n: Microsoft SQL Node Prototype Pollution High
CVE-2026-54312 was published for n8n (npm) Jun 16, 2026
s2ongmo Credited to s2ongmo
n8n: Prototype Pollution enables confused-deputy execution via public webhooks Moderate
CVE-2026-54306 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM Moderate
CVE-2026-49459 was published for dompurify (npm) Jun 15, 2026
offset Credited to offset
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge High
CVE-2026-44495 was published for axios (npm) May 29, 2026
August829 Credited to August829
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` High
CVE-2026-44494 was published for axios (npm) May 29, 2026
August829 Credited to August829
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions Moderate
CVE-2026-44490 was published for axios (npm) May 29, 2026
Tal-Gav Credited to Tal-Gav
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix Low
CVE-2026-44489 was published for axios (npm) May 29, 2026
@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty High
CVE-2026-46681 was published for @nevware21/ts-utils (npm) May 21, 2026
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection High
CVE-2026-46625 was published for js-cookie (npm) May 21, 2026
teebow1e Credited to teebow1e
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not... Moderate Unreviewed
CVE-2026-9101 was published May 20, 2026
multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception High
CVE-2026-8161 was published for multiparty (npm) May 18, 2026
Ser0n-ath Credited to Ser0n-ath, bjohansebas, kq5y, ByamB4, blakeembrey, ljharb, and UlisesGascon bjohansebas bjohansebas
kq5y kq5y ByamB4 ByamB4 blakeembrey blakeembrey ljharb ljharb UlisesGascon UlisesGascon
@tmlmobilidade/utils has prototype pollution in its setValueAtPath High
CVE-2026-45325 was published for @tmlmobilidade/utils (npm) May 18, 2026
0xBassia Credited to 0xBassia
parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names High
CVE-2026-45302 was published for parse-nested-form-data (npm) May 18, 2026
0xBassia Credited to 0xBassia
form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys High
CVE-2026-46510 was published for form-data-objectizer (npm) May 18, 2026
0xBassia Credited to 0xBassia
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the... High Unreviewed
CVE-2026-8657 was published May 16, 2026
@ranfdev/deepobj has a Prototype Pollution vulnerability High
CVE-2026-46509 was published for @ranfdev/deepobj (npm) May 14, 2026
0xBassia Credited to 0xBassia
n8n Has an XML Node Prototype Pollution Patch Bypass Critical
CVE-2026-44791 was published for n8n (npm) May 14, 2026
simonkoeck Credited to simonkoeck
n8n: HTTP Request Node Pagination Prototype Pollution to RCE Critical
CVE-2026-44789 was published for n8n (npm) May 14, 2026
sm1ee Credited to sm1ee
protobuf.js: Prototype injection in generated message constructors Moderate
CVE-2026-44292 was published for protobufjs (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
protobuf.js: Code generation gadget after prototype pollution High
CVE-2026-44291 was published for protobufjs (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
protobuf.js: Process-wide denial of service through unsafe option paths High
CVE-2026-44290 was published for protobufjs (npm) May 12, 2026
AKiileX Credited to AKiileX, VladimirEliTokarev, and dcodeIO VladimirEliTokarev VladimirEliTokarev
dcodeIO dcodeIO
@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function High
GHSA-mhwj-73qx-jqxm was published for @theecryptochad/merge-guard (npm) May 11, 2026
TheeCryptoChad Credited to TheeCryptoChad
@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data) High
CVE-2026-44483 was published for @rvf/set-get (npm) May 11, 2026
0xBassia Credited to 0xBassia
Velocity.js has a Prototype Pollution vulnerability through #set path assignment High
CVE-2026-44966 was published for velocityjs (npm) May 9, 2026
yumarun Credited to yumarun
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database