GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
6,517 advisories
n8n: Python Code Node AST Validator Bypass
Moderate
GHSA-jwm3-qcfw-c5pp
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints
Moderate
CVE-2026-54303
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Microsoft SQL Node Prototype Pollution
High
CVE-2026-54312
was published
for
n8n
(npm)
Jun 16, 2026
LobeHub: Unauthenticated SSRF in `/webapi/proxy`
Critical
CVE-2026-54157
was published
for
@lobehub/lobehub
(npm)
Jun 16, 2026
n8n: Merge Node SQL Mode Prototype Pollution
Moderate
CVE-2026-54311
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Prototype Pollution enables confused-deputy execution via public webhooks
Moderate
CVE-2026-54306
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Same-Origin XSS in Respond to Webhook Node
High
CVE-2026-54301
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes
Moderate
CVE-2026-54308
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Wrong OAuth Scope On Evaluations Test Run Creation Endpoint
Moderate
GHSA-hv7x-3x78-gx53
was published
for
n8n
(npm)
Jun 16, 2026
n8n: NoSQL Injection in MongoDB Node Find And Replace Operation
Moderate
CVE-2026-54313
was published
for
n8n
(npm)
Jun 16, 2026
n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes
Moderate
CVE-2026-54310
was published
for
n8n
(npm)
Jun 16, 2026
n8n: Git Node Clone and Push Operations Bypass File Sandbox
Moderate
CVE-2026-49465
was published
for
n8n
(npm)
Jun 16, 2026
Astro: XSS via Unescaped Attribute Names in Spread Props
Moderate
CVE-2026-54298
was published
for
astro
(npm)
Jun 16, 2026
Astro: Host header SSRF in prerendered error page fetch
High
CVE-2026-54299
was published
for
astro
(npm)
Jun 16, 2026
@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config
Moderate
CVE-2026-54300
was published
for
@astrojs/netlify
(npm)
Jun 16, 2026
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`
Moderate
CVE-2026-54288
was published
for
hono
(npm)
Jun 16, 2026
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
Moderate
CVE-2026-54289
was published
for
hono
(npm)
Jun 16, 2026
hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard
High
CVE-2026-54290
was published
for
hono
(npm)
Jun 16, 2026
hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
Moderate
CVE-2026-54286
was published
for
hono
(npm)
Jun 16, 2026
hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
Moderate
CVE-2026-54287
was published
for
hono
(npm)
Jun 16, 2026
Astro: Reflected XSS via unescaped slot name
High
CVE-2026-50146
was published
for
astro
(npm)
Jun 16, 2026
Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
Moderate
CVE-2026-53722
was published
for
nuxt
(npm)
Jun 16, 2026
Nuxt dev server vite-node IPC socket is world-connectable on Linux
Moderate
GHSA-534h-c3cw-v3h9
was published
for
nuxt
(npm)
Jun 16, 2026
ProTip!
Advisories are also available from the
GraphQL API