Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

6,517 advisories

Loading
NocoDB: Reflected Cross-Site Scripting via Password Reset Token Moderate
CVE-2026-47376 was published for nocodb (npm) Jun 5, 2026
fg0x0 Credited to fg0x0
NocoDB: Postgres SQL Injection in Formula `ARRAYSORT` Moderate
CVE-2026-47375 was published for nocodb (npm) Jun 5, 2026
leduckhuong Credited to leduckhuong
NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints Moderate
CVE-2026-47279 was published for nocodb (npm) Jun 5, 2026
leduckhuong Credited to leduckhuong
MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration Moderate
CVE-2026-47250 was published for mcp-server-kubernetes (npm) Jun 5, 2026
yotampe-pluto Credited to yotampe-pluto
Supply chain compromise via malicious @cap-js/openapi Critical
GHSA-jpvj-wpmj-h7rv was published for @cap-js/openapi (npm) Jun 4, 2026
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths Moderate
CVE-2026-47676 was published for hono (npm) Jun 4, 2026
Rootingg Credited to Rootingg
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 Moderate
CVE-2026-47674 was published for hono (npm) Jun 4, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection Moderate
CVE-2026-47675 was published for hono (npm) Jun 4, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Hono: JWT middleware accepts any Authorization scheme, not only Bearer Moderate
CVE-2026-47673 was published for hono (npm) Jun 4, 2026
SQU4NCH Credited to SQU4NCH
React Router vulnerable to Denial of Service via reflected user input in single-fetch High
CVE-2026-34077 was published for react-router (npm) Jun 4, 2026
Oceandust Credited to Oceandust
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending High
CVE-2026-45337 was published for better-auth (npm) Jun 4, 2026
whrit Credited to whrit
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection High
CVE-2026-44496 was published for axios (npm) Jun 4, 2026
August829 Credited to August829
Allocation of Resources Without Limits or Throttling in Axios High
CVE-2026-44488 was published for axios (npm) Jun 4, 2026
asadeddin Credited to asadeddin
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter High
CVE-2026-44487 was published for axios (npm) Jun 4, 2026
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection High
CVE-2026-44486 was published for axios (npm) Jun 4, 2026
ngocnn97 Credited to ngocnn97
browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTTP handler High
CVE-2026-49143 was published for browserstack-runner (npm) Jun 3, 2026
Christbowel Credited to Christbowel
browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server High
CVE-2026-49144 was published for browserstack-runner (npm) Jun 3, 2026
Christbowel Credited to Christbowel
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint High
CVE-2026-42342 was published for @remix-run/server-runtime (npm) Jun 3, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE High
CVE-2026-42211 was published for react-router (npm) Jun 3, 2026
SM41ldRag0n Credited to SM41ldRag0n
React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation Moderate
CVE-2026-40181 was published for react-router (npm) Jun 3, 2026
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets High
CVE-2026-33245 was published for react-router (npm) Jun 3, 2026
x4cc3 Credited to x4cc3
React Router has stored XSS via unescaped Location header in prerendered redirect HTML Moderate
CVE-2026-33244 was published for react-router (npm) Jun 3, 2026
yuito-it Credited to yuito-it
launch-editor vulnerable to command injection via the crafted request on Windows High
CVE-2024-52011 was published for launch-editor (npm) Jun 3, 2026
Ry0taK Credited to Ry0taK
Vitest browser mode serves unsanitized otelCarrier query parameter as inline script Critical
CVE-2026-47428 was published for @vitest/browser (npm) Jun 1, 2026
tomohiro86 Credited to tomohiro86
When Vitest UI server is listening, arbitrary file can be read and executed Critical
CVE-2026-47429 was published for vitest (npm) Jun 1, 2026
sapphi-red Credited to sapphi-red, qispark, joevin-slq-docto, koteswar-k, SaronGrave, and jason-anthropic qispark qispark
joevin-slq-docto joevin-slq-docto koteswar-k koteswar-k SaronGrave SaronGrave jason-anthropic jason-anthropic
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database