Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

422 advisories

Loading
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials Low
CVE-2026-54327 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
urianpaul94 Credited to urianpaul94
Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass Low
CVE-2026-54326 was published for @earendil-works/pi-coding-agent (npm) Jun 16, 2026
urianpaul94 Credited to urianpaul94
Cross-site scripting via <NoScript> slot content in Nuxt's head components Low
GHSA-m3q2-p4fw-w38m was published for nuxt (npm) Jun 16, 2026
alcls01111 Credited to alcls01111
Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json` Low
GHSA-rq7w-g337-39qq was published for nuxt (npm) Jun 15, 2026
manop55555 Credited to manop55555
DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output Low
GHSA-vxr8-fq34-vvx9 was published for dompurify (npm) Jun 15, 2026
offset Credited to offset
React Router: Potential CSRF via PUT/PATCH/DELETE document requests Low
CVE-2026-53663 was published for @remix-run/server-runtime (npm) Jun 15, 2026
gasbugs Credited to gasbugs
DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside <template> content when using DOM output modes Low
GHSA-gvmj-g25r-r7wr was published for dompurify (npm) Jun 15, 2026
IamLeandrooooo Credited to IamLeandrooooo
DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects Low
GHSA-x4vx-rjvf-j5p4 was published for dompurify (npm) Jun 15, 2026
@babel/core: Arbitrary File Read via sourceMappingURL Comment Low
CVE-2026-49356 was published for @babel/core (npm) Jun 15, 2026
radoi-teodor Credited to radoi-teodor, JLHwung, nicolo-ribaudo, and liuxingbaoyu JLHwung JLHwung
nicolo-ribaudo nicolo-ribaudo liuxingbaoyu liuxingbaoyu
esbuild allows arbitrary file read when running the development server on Windows Low
GHSA-g7r4-m6w7-qqqr was published for esbuild (npm) Jun 12, 2026
dellalibera Credited to dellalibera
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning Low
CVE-2026-46342 was published for @nuxt/nitro-server (npm) May 19, 2026
fancymalware Credited to fancymalware
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix Low
CVE-2026-44489 was published for axios (npm) May 29, 2026
Papra HTTP redirect bypass can lead to SSRF via webhook delivery system Low
CVE-2026-48051 was published for @papra/webhooks (npm) Jun 10, 2026
FredrikEV Credited to FredrikEV
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` Low
CVE-2026-42429 was published for openclaw (npm) Apr 9, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()` Low
CVE-2026-47099 was published for telejson (npm) Apr 2, 2026
Niccolo10 Credited to Niccolo10
NocoDB: Missing Ownership Check in MCP Attachment Read Low
CVE-2026-47388 was published for nocodb (npm) Jun 5, 2026
helwor-01 Credited to helwor-01
NocoDB: User Enumeration via Sign-In Timing Low
CVE-2026-47380 was published for nocodb (npm) Jun 5, 2026
AndyAnh174 Credited to AndyAnh174
Summarize contains a missing authorization vulnerability Low
CVE-2026-45244 was published for @steipete/summarize (npm) May 18, 2026
vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter Low
GHSA-q3fm-4wcw-g57x was published for vm2 (npm) May 29, 2026
fg0x0 Credited to fg0x0
@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue Low
CVE-2026-8769 was published for @ai-sdk/provider-utils (npm) May 18, 2026
@kilocode/cli Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor Low
CVE-2026-8766 was published for @kilocode/cli (npm) May 18, 2026
NocoDB: Stale Auth Cache After API Token Deletion Low
CVE-2026-46554 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Attachment Size Limit Bypass via Upload-by-URL Low
CVE-2026-46553 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation Low
CVE-2026-46549 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
@tootallnate/once vulnerable to Incorrect Control Flow Scoping Low
CVE-2026-3449 was published for @tootallnate/once (npm) Mar 3, 2026
janpe Credited to janpe, mpsijm, orien, danez, jusemon, apepper, omgovich, siddharth-kumra, and gbatterbee mpsijm mpsijm
orien orien danez danez jusemon jusemon apepper apepper omgovich omgovich siddharth-kumra siddharth-kumra gbatterbee gbatterbee
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database