GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
2,237 advisories
@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input
Moderate
CVE-2026-42853
was published
for
@apostrophecms/cli
(npm)
May 14, 2026
actual Allows Electron to Run As Node
Moderate
CVE-2026-42890
was published
for
actual
(npm)
Jun 8, 2026
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
Moderate
CVE-2026-47248
was published
for
parse-server
(npm)
May 29, 2026
NodeVM observability builtins leak host process and HTTP request data
Moderate
CVE-2026-47141
was published
for
vm2
(npm)
May 29, 2026
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Moderate
CVE-2026-47200
was published
for
@nuxt/nitro-server
(npm)
May 29, 2026
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
Moderate
CVE-2026-45670
was published
for
@nuxt/rspack-builder
(npm)
May 19, 2026
Nuxt: Reflected XSS in `navigateTo()` external redirect
Moderate
CVE-2026-45669
was published
for
nuxt
(npm)
May 19, 2026
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
Moderate
CVE-2026-48038
was published
for
joi
(npm)
Jun 11, 2026
MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
Moderate
CVE-2026-47250
was published
for
mcp-server-kubernetes
(npm)
Jun 5, 2026
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
Moderate
CVE-2026-44490
was published
for
axios
(npm)
May 29, 2026
NocoDB: OAuth Tokens Persist Through Security Events
Moderate
CVE-2026-53926
was published
for
nocodb
(npm)
Jun 5, 2026
Budibase: Unvalidated VectorDB Host Parameter Enables SSRF
Moderate
CVE-2026-48148
was published
for
@budibase/server
(npm)
Jun 12, 2026
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
Moderate
CVE-2026-48147
was published
for
@budibase/backend-core
(npm)
Jun 12, 2026
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step
Moderate
CVE-2026-48128
was published
for
budibase
(npm)
Jun 12, 2026
LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access
Moderate
CVE-2026-48121
was published
for
@langchain/langgraph-checkpoint-mongodb
(npm)
Jun 12, 2026
@hapi/inert has a static-file confinement bypass via sibling-prefix path
Moderate
CVE-2026-48049
was published
for
@hapi/inert
(npm)
Jun 11, 2026
wangEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function
Moderate
CVE-2022-25037
was published
for
@wangeditor/editor
(npm)
May 31, 2024
Cross-site scripting in Survey Creator
Moderate
CVE-2024-28635
was published
for
survey-creator
(npm)
Mar 21, 2024
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
Moderate
CVE-2026-48022
was published
for
@hapi/wreck
(npm)
Jun 11, 2026
@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture
Moderate
CVE-2026-48037
was published
for
@hulumi/baseline
(npm)
Jun 10, 2026
Svelte SSR vulnerable to cross-site scripting via spread attributes
Moderate
CVE-2026-42599
was published
for
svelte
(npm)
May 14, 2026
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
Moderate
CVE-2026-42573
was published
for
svelte
(npm)
May 14, 2026
Svelte: ReDoS in `<svelte:element>` Tag Validation
Moderate
CVE-2026-42567
was published
for
svelte
(npm)
May 14, 2026
ProTip!
Advisories are also available from the
GraphQL API