Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

6,517 advisories

Loading
@angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker High
CVE-2026-54264 was published for @angular/service-worker (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, alan-agius4, JeanMeche, and josephperrott alan-agius4 alan-agius4
JeanMeche JeanMeche josephperrott josephperrott
@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate) High
CVE-2026-54268 was published for @angular/common (npm) Jun 15, 2026
JeanMeche Credited to JeanMeche, alan-agius4, SkyZeroZx, and josephperrott alan-agius4 alan-agius4
SkyZeroZx SkyZeroZx josephperrott josephperrott
@angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning High
CVE-2026-54266 was published for @angular/common (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, JeanMeche, and josephperrott JeanMeche JeanMeche
josephperrott josephperrott
@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS) Moderate
CVE-2026-54265 was published for @angular/compiler (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, alan-agius4, JeanMeche, and JoostK alan-agius4 alan-agius4
JeanMeche JeanMeche JoostK JoostK
Angular: Template and Attribute Namespace Sanitization Bypass (XSS) Moderate
CVE-2026-50557 was published for @angular/compiler (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, alan-agius4, josephperrott, and AndrewKushnir alan-agius4 alan-agius4
josephperrott josephperrott AndrewKushnir AndrewKushnir
@angular/platform-server: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR High
CVE-2026-50556 was published for @angular/platform-server (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, alan-agius4, and josephperrott alan-agius4 alan-agius4
josephperrott josephperrott
@angular/platform-server: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') High
CVE-2026-50555 was published for @angular/platform-server (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, alan-agius4, and josephperrott alan-agius4 alan-agius4
josephperrott josephperrott
node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling) Moderate
CVE-2026-53655 was published for tar (npm) Jun 15, 2026
tonghuaroot Credited to tonghuaroot
launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows Moderate
CVE-2026-53632 was published for launch-editor (npm) Jun 15, 2026
RubenHoms Credited to RubenHoms, toxyl, and bluwy toxyl toxyl
bluwy bluwy
vite: `server.fs.deny` bypass on Windows alternate paths High
CVE-2026-53571 was published for vite (npm) Jun 15, 2026
TazmiDev Credited to TazmiDev, 332QAQ, and ArnaudBarre 332QAQ 332QAQ
ArnaudBarre ArnaudBarre
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases Moderate
CVE-2026-53550 was published for js-yaml (npm) Jun 15, 2026
0xbughunter Credited to 0xbughunter
@babel/core: Arbitrary File Read via sourceMappingURL Comment Low
CVE-2026-49356 was published for @babel/core (npm) Jun 15, 2026
radoi-teodor Credited to radoi-teodor, JLHwung, nicolo-ribaudo, and liuxingbaoyu JLHwung JLHwung
nicolo-ribaudo nicolo-ribaudo liuxingbaoyu liuxingbaoyu
@angular/service-worker: Request Credential & Cache Policy Stripping Moderate
CVE-2026-50184 was published for @angular/service-worker (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, josephperrott, AndrewKushnir, alan-agius4, and JeanMeche josephperrott josephperrott
AndrewKushnir AndrewKushnir alan-agius4 alan-agius4 JeanMeche JeanMeche
@angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo) High
CVE-2026-50171 was published for @angular/common (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, JeanMeche, AndrewKushnir, and josephperrott JeanMeche JeanMeche
AndrewKushnir AndrewKushnir josephperrott josephperrott
@angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache High
CVE-2026-50170 was published for @angular/common (npm) Jun 15, 2026
Yenya030 Credited to Yenya030, josephperrott, alan-agius4, AndrewKushnir, and dgp1130 josephperrott josephperrott
alan-agius4 alan-agius4 AndrewKushnir AndrewKushnir dgp1130 dgp1130
@angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS) Moderate
CVE-2026-52725 was published for @angular/core (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, AndrewKushnir, alan-agius4, and josephperrott AndrewKushnir AndrewKushnir
alan-agius4 alan-agius4 josephperrott josephperrott
Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities Moderate
CVE-2026-50169 was published for @angular/service-worker (npm) Jun 15, 2026
Yenya030 Credited to Yenya030, alan-agius4, JeanMeche, josephperrott, and AndrewKushnir alan-agius4 alan-agius4
JeanMeche JeanMeche josephperrott josephperrott AndrewKushnir AndrewKushnir
@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass High
CVE-2026-50168 was published for @angular/platform-server (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, josephperrott, and 0xEr3n AndrewKushnir AndrewKushnir
josephperrott josephperrott 0xEr3n 0xEr3n
tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template High
CVE-2026-49982 was published for tmp (npm) Jun 15, 2026
tonghuaroot Credited to tonghuaroot
ws: Memory exhaustion DoS from tiny fragments and data chunks High
CVE-2026-48779 was published for ws (npm) Jun 15, 2026
Nadav0077 Credited to Nadav0077
Angular Client Hydration DOM Clobbering & Response-Cache Poisoning High
CVE-2026-54267 was published for @angular/core (npm) Jun 15, 2026
SkyZeroZx Credited to SkyZeroZx, AndrewKushnir, alan-agius4, josephperrott, and JeanMeche AndrewKushnir AndrewKushnir
alan-agius4 alan-agius4 josephperrott josephperrott JeanMeche JeanMeche
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization Moderate
CVE-2026-44311 was published for fabric (npm) Jun 12, 2026
Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY High
GHSA-gv7w-rqvm-qjhr was published for esbuild (npm) Jun 12, 2026 withdrawn
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
esbuild allows arbitrary file read when running the development server on Windows Low
GHSA-g7r4-m6w7-qqqr was published for esbuild (npm) Jun 12, 2026
dellalibera Credited to dellalibera
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL High
CVE-2026-48152 was published for @budibase/server (npm) Jun 12, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database