Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,521 advisories

Loading
DbGate: Remote Code Execution via functionName injection in loadReader endpoint High
CVE-2026-48017 was published for dbgate-api (npm) Jun 5, 2026
romain-deperne Credited to romain-deperne
Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP High
CVE-2026-47684 was published for @sync-in/server (npm) Jun 5, 2026
x0root Credited to x0root and johaven johaven johaven
NocoDB: Stored Cross-Site Scripting via Form View Redirect URL High
CVE-2026-47387 was published for nocodb (npm) Jun 5, 2026
kah-ja Credited to kah-ja
NocoDB: Stored Cross-Site Scripting via Row Comments High
CVE-2026-47383 was published for nocodb (npm) Jun 5, 2026
DavidCarliez Credited to DavidCarliez and Mouhebbenelwafi Mouhebbenelwafi Mouhebbenelwafi
React Router vulnerable to Denial of Service via reflected user input in single-fetch High
CVE-2026-34077 was published for react-router (npm) Jun 4, 2026
Oceandust Credited to Oceandust
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending High
CVE-2026-45337 was published for better-auth (npm) Jun 4, 2026
whrit Credited to whrit
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection High
CVE-2026-44496 was published for axios (npm) Jun 4, 2026
August829 Credited to August829
Allocation of Resources Without Limits or Throttling in Axios High
CVE-2026-44488 was published for axios (npm) Jun 4, 2026
asadeddin Credited to asadeddin
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter High
CVE-2026-44487 was published for axios (npm) Jun 4, 2026
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection High
CVE-2026-44486 was published for axios (npm) Jun 4, 2026
ngocnn97 Credited to ngocnn97
browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTTP handler High
CVE-2026-49143 was published for browserstack-runner (npm) Jun 3, 2026
Christbowel Credited to Christbowel
browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server High
CVE-2026-49144 was published for browserstack-runner (npm) Jun 3, 2026
Christbowel Credited to Christbowel
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint High
CVE-2026-42342 was published for @remix-run/server-runtime (npm) Jun 3, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE High
CVE-2026-42211 was published for react-router (npm) Jun 3, 2026
SM41ldRag0n Credited to SM41ldRag0n
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets High
CVE-2026-33245 was published for react-router (npm) Jun 3, 2026
x4cc3 Credited to x4cc3
launch-editor vulnerable to command injection via the crafted request on Windows High
CVE-2024-52011 was published for launch-editor (npm) Jun 3, 2026
Ry0taK Credited to Ry0taK
DOMPurify XSS via selectedcontent re-clone High
CVE-2026-47423 was published for dompurify (npm) Jun 1, 2026
KabirAcharya Credited to KabirAcharya
@agenticmail/mcp Missing Authentication for Critical Function High
CVE-2026-50287 was published for @agenticmail/mcp (npm) Jun 1, 2026
AgenticMail API/storage and outbound relay hardening fixes High
CVE-2026-47255 was published for @agenticmail/api (npm) May 29, 2026
NodeVM network builtin exclusions bypass via internal _http_client and _http_server High
CVE-2026-47139 was published for vm2 (npm) May 29, 2026
spbavarva Credited to spbavarva
ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag High
CVE-2026-8813 was published for exifreader (npm) May 29, 2026
yuki-matsuhashi Credited to yuki-matsuhashi
vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain High
CVE-2026-47209 was published for vm2 (npm) May 29, 2026
q1uf3ngONEKEY Credited to q1uf3ngONEKEY
vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks High
CVE-2026-47135 was published for vm2 (npm) May 29, 2026
q1uf3ng Credited to q1uf3ng
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge High
CVE-2026-44495 was published for axios (npm) May 29, 2026
August829 Credited to August829
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` High
CVE-2026-44494 was published for axios (npm) May 29, 2026
August829 Credited to August829
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database