Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

117 advisories

Loading
DbGate: Unauthenticated Remote Code Execution via JSON Script Runner Critical
CVE-2026-47668 was published for dbgate-serve (npm) Jun 5, 2026
benharvey-sage Credited to benharvey-sage
LiquidJS is Vulnerable to Remote Code Execution Critical
CVE-2026-45618 was published for liquidjs (npm) May 27, 2026
c0rydoras Credited to c0rydoras
Electerm Local code through electerm's single-instance socket Critical
CVE-2026-45353 was published for electerm (npm) May 14, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval Critical
CVE-2026-45311 was published for deepseek-tui (npm) May 14, 2026
47Cid Credited to 47Cid
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark Critical
CVE-2026-45058 was published for electerm (npm) May 14, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape Critical
CVE-2026-46442 was published for flowise (npm) May 14, 2026
ESPanda666 Credited to ESPanda666
SandboxJS has a sandbox escape via Function.caller leakage of internal call op Critical
CVE-2026-43898 was published for @nyariv/sandboxjs (npm) May 11, 2026
Macabely Credited to Macabely
Electerm users can run dangrous code through link or command line Critical
CVE-2026-43944 was published for electerm (npm) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
next-npm-version is vulnerable to Command injection Critical
CVE-2025-63706 was published for @jswork/next-npm-version (npm) May 7, 2026
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape Critical
CVE-2026-44005 was published for vm2 (npm) May 7, 2026
hongancalif Credited to hongancalif
vm2 Access to Host Object Enables Sandbox Escape Critical
CVE-2026-43997 was published for vm2 (npm) May 7, 2026
c0rydoras Credited to c0rydoras
vm2 has a Sandbox Escape Vulnerability Critical
CVE-2026-44006 was published for vm2 (npm) May 7, 2026
c0rydoras Credited to c0rydoras
VM2 Has a WASM Sandbox Escape Critical
CVE-2026-26956 was published for vm2 (npm) May 5, 2026
0x5t Credited to 0x5t and Wenxin-Jiang Wenxin-Jiang Wenxin-Jiang
VM2 Has a Sandbox Escape Issue via SuppressedError Critical
CVE-2026-26332 was published for vm2 (npm) May 5, 2026
VM2 Has Sandbox Breakout Through Inspect Function Critical
CVE-2026-24781 was published for vm2 (npm) May 5, 2026
XmiliaH Credited to XmiliaH
VM2 Has Sandbox Breakout Through Promise Species Critical
CVE-2026-24120 was published for vm2 (npm) May 5, 2026
XmiliaH Credited to XmiliaH
VM2 Sandbox Breakout Through __lookupGetter__ Critical
CVE-2026-24118 was published for vm2 (npm) May 4, 2026
XmiliaH Credited to XmiliaH
Remote Code Execution (RCE) via String Literal Injection into math-codegen Critical
CVE-2026-41507 was published for math-codegen (npm) Apr 17, 2026
hits3134 Credited to hits3134 and hits313 hits313 hits313
Arbitrary code execution in protobufjs Critical
CVE-2026-41242 was published for protobufjs (npm) Apr 16, 2026
cristianstaicu Credited to cristianstaicu, alexander-fenster, and sofisl alexander-fenster alexander-fenster
sofisl sofisl
Flowise: Code Injection in CSVAgent leads to Authenticated RCE Critical
CVE-2026-41137 was published for flowise (npm) Apr 16, 2026
supriza Credited to supriza
OpenAI Codex CLI enables code execution through malicious MCP (Model Context Protocol) configuration files Critical
CVE-2025-61260 was published for @openai/codex (npm) Apr 14, 2026
Handlebars.js has JavaScript Injection via AST Type Confusion Critical
CVE-2026-33937 was published for handlebars (npm) Mar 27, 2026
RealHurrison Credited to RealHurrison
n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode Critical
CVE-2026-33660 was published for n8n (npm) Mar 25, 2026
duddnr0615k Credited to duddnr0615k, simonkoeck, c0rydoras, and nil340 simonkoeck simonkoeck
c0rydoras c0rydoras nil340 nil340
thumbler allows OS Command Injection Critical
CVE-2026-26833 was published for thumbler (npm) Mar 25, 2026
textract is vulnerable to OS Command Injection Critical
CVE-2026-26831 was published for textract (npm) Mar 25, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database