Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

36 advisories

Loading
protobufjs: Denial of service through unbounded Any expansion during JSON conversion High
CVE-2026-48712 was published for protobufjs (npm) Jun 15, 2026
EchoSkorJjj Credited to EchoSkorJjj, yueyueL, and dcodeIO yueyueL yueyueL
dcodeIO dcodeIO
protobufjs : Schema-derived names can shadow runtime-significant properties Moderate
CVE-2026-54269 was published for protobufjs (npm) Jun 15, 2026
acorn421 Credited to acorn421 and dcodeIO dcodeIO dcodeIO
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion Moderate
CVE-2026-45740 was published for protobufjs (npm) May 19, 2026
fasrm Credited to fasrm and dcodeIO dcodeIO dcodeIO
protobuf.js: Denial of service through unbounded protobuf recursion High
CVE-2026-44289 was published for protobufjs (npm) May 12, 2026
peaktwilight Credited to peaktwilight, VladimirEliTokarev, AKiileX, tndud042713, dcodeIO, and alexander-fenster VladimirEliTokarev VladimirEliTokarev
AKiileX AKiileX tndud042713 tndud042713 dcodeIO dcodeIO alexander-fenster alexander-fenster
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data Moderate
CVE-2026-42039 was published for axios (npm) May 5, 2026
fg0x0 Credited to fg0x0 and 0bi0 0bi0 0bi0
Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer High
CVE-2026-41680 was published for marked (npm) Apr 29, 2026
MaanVader Credited to MaanVader
Apache Thrift Node.js bindings vulnerable to Uncontrolled Recursion High
CVE-2026-41636 was published for thrift (npm) Apr 28, 2026
liquidjs has a Denial of Service via circular block reference in layout High
CVE-2026-41311 was published for liquidjs (npm) Apr 24, 2026
1netvn Credited to 1netvn
xmldom: Uncontrolled recursion in XML serialization leads to DoS High
CVE-2026-41673 was published for @xmldom/xmldom (npm) Apr 22, 2026
Jvr2022 Credited to Jvr2022, praveen-kv, and KarimTantawey praveen-kv praveen-kv
KarimTantawey KarimTantawey
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport) High
CVE-2026-40879 was published for @nestjs/microservices (npm) Apr 14, 2026
hwpark6804-gif Credited to hwpark6804-gif and kamilmysliwiec kamilmysliwiec kamilmysliwiec
@stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags High
GHSA-5jg4-p4qw-cgfr was published for @stablelib/cbor (npm) Apr 4, 2026
Jvr2022 Credited to Jvr2022
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser Moderate
CVE-2026-34211 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
offset Credited to offset
smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines Moderate
GHSA-v3rj-xjv7-4jmq was published for smol-toml (npm) Mar 25, 2026
0xkakash1 Credited to 0xkakash1
yaml is vulnerable to Stack Overflow via deeply nested YAML collections Moderate
CVE-2026-33532 was published for yaml (npm) Mar 25, 2026
kq5y Credited to kq5y and peaktwilight peaktwilight peaktwilight
Parse Server LiveQuery subscription query depth bypass High
CVE-2026-33508 was published for parse-server (npm) Mar 20, 2026
mith36 Credited to mith36 and mtrezza mtrezza mtrezza
Parse Server has a query condition depth bypass via pre-validation transform pipeline High
CVE-2026-33498 was published for parse-server (npm) Mar 20, 2026
nikoladzekic Credited to nikoladzekic and mtrezza mtrezza mtrezza
Parse Server crash via deeply nested query condition operators High
CVE-2026-32944 was published for parse-server (npm) Mar 17, 2026
mtrezza Credited to mtrezza
flatted vulnerable to unbounded recursion DoS in parse() revive phase High
CVE-2026-32141 was published for flatted (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
Multer Vulnerable to Denial of Service via Uncontrolled Recursion High
CVE-2026-3520 was published for multer (npm) Mar 5, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, ctcpip, and UlisesGascon ctcpip ctcpip
UlisesGascon UlisesGascon
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack High
CVE-2026-27601 was published for underscore (npm) Mar 3, 2026
ByamB4 Credited to ByamB4 and jgonggrijp jgonggrijp jgonggrijp
Withdrawn Advisory: eslint has a Stack Overflow when serializing objects with circular references Moderate
CVE-2025-50537 was published for eslint (npm) Jan 26, 2026 withdrawn
lukemcgregor Credited to lukemcgregor
Duplicate Advisory: Nodemailer is vulnerable to DoS through Uncontrolled Recursion Moderate
GHSA-46j5-6fg5-4gv3 was published for nodemailer (npm) Dec 18, 2025 withdrawn
node-forge has ASN.1 Unbounded Recursion High
CVE-2025-66031 was published for node-forge (npm) Nov 26, 2025
wodzen Credited to wodzen
express-xss-sanitizer has an unbounded recursion depth Moderate
CVE-2025-59364 was published for express-xss-sanitizer (npm) Sep 26, 2025
Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth Moderate
GHSA-qhwp-454g-2gv4 was published for express-xss-sanitizer (npm) Sep 15, 2025 withdrawn
cai0duque Credited to cai0duque and AhmedAdelFahim AhmedAdelFahim AhmedAdelFahim
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database