Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

6,421 advisories

Loading
React Router has stored XSS via unescaped Location header in prerendered redirect HTML Moderate
CVE-2026-33244 was published for react-router (npm) Jun 3, 2026
yuito-it Credited to yuito-it
launch-editor vulnerable to command injection via the crafted request on Windows High
CVE-2024-52011 was published for launch-editor (npm) Jun 3, 2026
Ry0taK Credited to Ry0taK
Vitest browser mode serves unsanitized otelCarrier query parameter as inline script Critical
CVE-2026-47428 was published for @vitest/browser (npm) Jun 1, 2026
tomohiro86 Credited to tomohiro86
When Vitest UI server is listening, arbitrary file can be read and executed Critical
CVE-2026-47429 was published for vitest (npm) Jun 1, 2026
sapphi-red Credited to sapphi-red, qispark, joevin-slq-docto, koteswar-k, SaronGrave, and jason-anthropic qispark qispark
joevin-slq-docto joevin-slq-docto koteswar-k koteswar-k SaronGrave SaronGrave jason-anthropic jason-anthropic
DOMPurify XSS via selectedcontent re-clone High
CVE-2026-47423 was published for dompurify (npm) Jun 1, 2026
KabirAcharya Credited to KabirAcharya
@agenticmail/mcp Missing Authentication for Critical Function High
CVE-2026-50287 was published for @agenticmail/mcp (npm) Jun 1, 2026
AgenticMail API/storage and outbound relay hardening fixes High
CVE-2026-47255 was published for @agenticmail/api (npm) May 29, 2026
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers Moderate
CVE-2026-47248 was published for parse-server (npm) May 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
NodeVM observability builtins leak host process and HTTP request data Moderate
CVE-2026-47141 was published for vm2 (npm) May 29, 2026
spbavarva Credited to spbavarva
NodeVM network builtin exclusions bypass via internal _http_client and _http_server High
CVE-2026-47139 was published for vm2 (npm) May 29, 2026
spbavarva Credited to spbavarva
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution Critical
CVE-2026-47140 was published for vm2 (npm) May 29, 2026
spbavarva Credited to spbavarva and VladimirEliTokarev VladimirEliTokarev VladimirEliTokarev
ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag High
CVE-2026-8813 was published for exifreader (npm) May 29, 2026
yuki-matsuhashi Credited to yuki-matsuhashi
ExifReader is vulnerable to denial of service via unbounded decompression of image metadata Moderate
CVE-2026-8814 was published for exifreader (npm) May 29, 2026
yuki-matsuhashi Credited to yuki-matsuhashi
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass Critical
CVE-2026-47210 was published for vm2 (npm) May 29, 2026
RealHurrison Credited to RealHurrison
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE Critical
CVE-2026-47137 was published for vm2 (npm) May 29, 2026
q1uf3ngONEKEY Credited to q1uf3ngONEKEY
vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain High
CVE-2026-47209 was published for vm2 (npm) May 29, 2026
q1uf3ngONEKEY Credited to q1uf3ngONEKEY
vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks High
CVE-2026-47135 was published for vm2 (npm) May 29, 2026
q1uf3ng Credited to q1uf3ng
vm2 is Vulnerable to Sandbox Breakout Through Promise Species Critical
CVE-2026-47208 was published for vm2 (npm) May 29, 2026
XmiliaH Credited to XmiliaH
vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter Low
GHSA-q3fm-4wcw-g57x was published for vm2 (npm) May 29, 2026
fg0x0 Credited to fg0x0
vm2 has a Sandbox Escape issue Critical
CVE-2026-47131 was published for vm2 (npm) May 29, 2026
cookesan Credited to cookesan
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*` Moderate
CVE-2026-47200 was published for @nuxt/nitro-server (npm) May 29, 2026
rmtsixq Credited to rmtsixq
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge High
CVE-2026-44495 was published for axios (npm) May 29, 2026
August829 Credited to August829
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` High
CVE-2026-44494 was published for axios (npm) May 29, 2026
August829 Credited to August829
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) High
CVE-2026-44492 was published for axios (npm) May 29, 2026
HamdaanAliQuatil Credited to HamdaanAliQuatil
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions Moderate
CVE-2026-44490 was published for axios (npm) May 29, 2026
Tal-Gav Credited to Tal-Gav
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database