Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,134
Maven
5,000+
npm
5,000+
NuGet
1,013
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,419
Swift
61
Unreviewed advisories
All unreviewed
5,000+

9 advisories

Loading
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding Moderate
CVE-2026-9679 was published for undici (npm) Jun 19, 2026
tndud042713 Credited to tndud042713, mcollina, KhafraDev, and UlisesGascon mcollina mcollina
KhafraDev KhafraDev UlisesGascon UlisesGascon
Multer vulnerable to Denial of Service via deeply nested field names High
CVE-2026-5079 was published for multer (npm) Jun 17, 2026
tndud042713 Credited to tndud042713, UlisesGascon, and bjohansebas UlisesGascon UlisesGascon
bjohansebas bjohansebas
markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations Moderate
CVE-2026-48988 was published for markdown-it (npm) Jun 15, 2026
tndud042713 Credited to tndud042713
async-http-client: Cookie header not stripped on cross-origin redirect High
CVE-2026-45300 was published for org.asynchttpclient:async-http-client (Maven) May 18, 2026
tndud042713 Credited to tndud042713
protobuf.js: Denial of service through unbounded protobuf recursion High
CVE-2026-44289 was published for protobufjs (npm) May 12, 2026
peaktwilight Credited to peaktwilight, VladimirEliTokarev, AKiileX, tndud042713, dcodeIO, and alexander-fenster VladimirEliTokarev VladimirEliTokarev
AKiileX AKiileX tndud042713 tndud042713 dcodeIO dcodeIO alexander-fenster alexander-fenster
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR Moderate
CVE-2026-56761 was published for hono (npm) Apr 16, 2026
tndud042713 Credited to tndud042713 and throwersedrickoctauious-del throwersedrickoctauious-del throwersedrickoctauious-del
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) Moderate
GHSA-vvjj-xcjg-gr5g was published for nodemailer (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel Moderate
CVE-2026-39412 was published for liquidjs (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code High
CVE-2026-33943 was published for happy-dom (npm) Mar 26, 2026
tndud042713 Credited to tndud042713
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database