GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
1,282 advisories
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
Critical
CVE-2026-44007
was published
for
vm2
(npm)
May 7, 2026
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
Critical
CVE-2026-43999
was published
for
vm2
(npm)
May 7, 2026
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
Critical
CVE-2026-44005
was published
for
vm2
(npm)
May 7, 2026
vm2 Access to Host Object Enables Sandbox Escape
Critical
CVE-2026-43997
was published
for
vm2
(npm)
May 7, 2026
vm2 has a Sandbox Escape Vulnerability
Critical
CVE-2026-44006
was published
for
vm2
(npm)
May 7, 2026
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver
Critical
CVE-2026-44351
was published
for
fast-jwt
(npm)
May 6, 2026
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
Critical
CVE-2026-42281
was published
for
magicmirror
(npm)
May 5, 2026
VM2 Has Sandbox Breakout Through Inspect Function
Critical
CVE-2026-24781
was published
for
vm2
(npm)
May 5, 2026
VM2 Has Sandbox Breakout Through Promise Species
Critical
CVE-2026-24120
was published
for
vm2
(npm)
May 5, 2026
VM2 Sandbox Breakout Through __lookupGetter__
Critical
CVE-2026-24118
was published
for
vm2
(npm)
May 4, 2026
n8n has XML Node Prototype Pollution that to RCE
Critical
CVE-2026-42232
was published
for
n8n
(npm)
Apr 29, 2026
n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE
Critical
CVE-2026-42231
was published
for
n8n
(npm)
Apr 29, 2026
electerm has Command Injection via runLinux funtion
Critical
CVE-2026-41501
was published
for
electerm
(npm)
Apr 24, 2026
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses
Critical
GHSA-wpqr-6v78-jr5g
was published
for
@google/gemini-cli
(GitHub Actions)
Apr 24, 2026
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution
Critical
CVE-2026-42076
was published
for
@evomap/evolver
(npm)
Apr 22, 2026
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
Critical
CVE-2026-41264
was published
for
flowise
(npm)
Apr 21, 2026
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
Critical
CVE-2026-41265
was published
for
flowise
(npm)
Apr 18, 2026
ProTip!
Advisories are also available from the
GraphQL API