Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,289 advisories

Loading
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies Moderate
CVE-2026-9595 was published for webpack-dev-server (npm) Jun 17, 2026
bjohansebas Credited to bjohansebas and UlisesGascon UlisesGascon UlisesGascon
Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads Moderate
CVE-2026-5038 was published for multer (npm) Jun 17, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, HamdaanAliQuatil, fasrm, UlisesGascon, bjohansebas, 0xStraw-Hat, bhaswanthc, ByamB4, sbouabid-sec, DavidCarliez, and JebeenLee HamdaanAliQuatil HamdaanAliQuatil
fasrm fasrm UlisesGascon UlisesGascon bjohansebas bjohansebas 0xStraw-Hat 0xStraw-Hat bhaswanthc bhaswanthc ByamB4 ByamB4 sbouabid-sec sbouabid-sec DavidCarliez DavidCarliez JebeenLee JebeenLee
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch Moderate
CVE-2026-54316 was published for @anthropic-ai/claude-code (npm) Jun 17, 2026
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint Moderate
CVE-2026-53931 was published for nocodb (npm) Jun 17, 2026
p- Credited to p-
NocoDB: Server-Side Request Forgery via Base Migration URL Moderate
CVE-2026-53930 was published for nocodb (npm) Jun 17, 2026
TREXNEGRO Credited to TREXNEGRO
NocoDB: Stored Cross-Site Scripting via Secure Attachment Moderate
CVE-2026-53929 was published for nocodb (npm) Jun 17, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Refresh Tokens Persist Through Password Recovery Moderate
CVE-2026-53928 was published for nocodb (npm) Jun 17, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL Moderate
CVE-2026-53927 was published for nocodb (npm) Jun 17, 2026
TREXNEGRO Credited to TREXNEGRO
Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory Moderate
CVE-2026-53765 was published for chrome-devtools-mcp (npm) Jun 17, 2026
enable7997 Credited to enable7997
n8n: Wrong OAuth Scope on Evaluation Test Runs Endpoints Moderate
GHSA-664h-gpgq-h6xx was published for n8n (npm) Jun 17, 2026
YLChen-007 Credited to YLChen-007
Pi Agent: Pi loads project-local extensions without approval Moderate
CVE-2026-54325 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
qerogram Credited to qerogram, urianpaul94, EQSTLab, kamalmarhubi, and useworld urianpaul94 urianpaul94
EQSTLab EQSTLab kamalmarhubi kamalmarhubi useworld useworld
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g) Moderate
CVE-2026-49993 was published for @nuxt/rspack-builder (npm) Jun 16, 2026
Uhudsavasindankacanokcu2 Credited to Uhudsavasindankacanokcu2 and DavidCarliez DavidCarliez DavidCarliez
n8n: Denial of Service via ZIP decompression in webhook workflow Moderate
CVE-2026-54314 was published for n8n (npm) Jun 16, 2026
n8n: Public API Execution Retry Authorization Bypass Moderate
GHSA-h3jj-5f3v-3685 was published for n8n (npm) Jun 16, 2026
ksw9722 Credited to ksw9722
n8n: Python Code Node AST Validator Bypass Moderate
GHSA-jwm3-qcfw-c5pp was published for n8n (npm) Jun 16, 2026
Mistz1 Credited to Mistz1
n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints Moderate
CVE-2026-54303 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
n8n: Merge Node SQL Mode Prototype Pollution Moderate
CVE-2026-54311 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
n8n: Prototype Pollution enables confused-deputy execution via public webhooks Moderate
CVE-2026-54306 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes Moderate
CVE-2026-54308 was published for n8n (npm) Jun 16, 2026
nkoorty Credited to nkoorty and jjjutla jjjutla jjjutla
n8n: Wrong OAuth Scope On Evaluations Test Run Creation Endpoint Moderate
GHSA-hv7x-3x78-gx53 was published for n8n (npm) Jun 16, 2026
34selen Credited to 34selen
n8n: NoSQL Injection in MongoDB Node Find And Replace Operation Moderate
CVE-2026-54313 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes Moderate
CVE-2026-54310 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
n8n: Git Node Clone and Push Operations Bypass File Sandbox Moderate
CVE-2026-49465 was published for n8n (npm) Jun 16, 2026
tr4ce-ju Credited to tr4ce-ju
Astro: XSS via Unescaped Attribute Names in Spread Props Moderate
CVE-2026-54298 was published for astro (npm) Jun 16, 2026
Texuguinho1234 Credited to Texuguinho1234
@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config Moderate
CVE-2026-54300 was published for @astrojs/netlify (npm) Jun 16, 2026
DavidCarliez Credited to DavidCarliez
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database