Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

66 advisories

Loading
kocaemre Credited to kocaemre, G-Rath, iBotPeaches, Starfox64, sfriedman-cape, and maikelvdh G-Rath G-Rath
iBotPeaches iBotPeaches Starfox64 Starfox64 sfriedman-cape sfriedman-cape maikelvdh maikelvdh
http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass Moderate
CVE-2026-55602 was published for http-proxy-middleware (npm) Jun 18, 2026
Str1ckl4nd Credited to Str1ckl4nd, Zyy0530, 7thParkk, G-Rath, and ethantkoenig Zyy0530 Zyy0530
7thParkk 7thParkk G-Rath G-Rath ethantkoenig ethantkoenig
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases Moderate
CVE-2026-53550 was published for js-yaml (npm) Jun 15, 2026
0xbughunter Credited to 0xbughunter, soren121, mazze93, G-Rath, dargmuesli, and omgovich soren121 soren121
mazze93 mazze93 G-Rath G-Rath dargmuesli dargmuesli omgovich omgovich
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern High
CVE-2026-26996 was published for minimatch (npm) Feb 18, 2026
AkshayJainG Credited to AkshayJainG, ljharb, G-Rath, thomas-schlein, isaacs, and SamanthaPersico ljharb ljharb
G-Rath G-Rath thomas-schlein thomas-schlein isaacs isaacs SamanthaPersico SamanthaPersico
ajv has ReDoS when using `$data` option Moderate
CVE-2025-69873 was published for ajv (npm) Feb 11, 2026
epoberezkin Credited to epoberezkin, G-Rath, and wayne530 G-Rath G-Rath
wayne530 wayne530
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch Low
CVE-2026-24001 was published for diff (npm) Jan 14, 2026
guiyi-he Credited to guiyi-he, ExplodingCabbage, G-Rath, and CraigHammondDexcom ExplodingCabbage ExplodingCabbage
G-Rath G-Rath CraigHammondDexcom CraigHammondDexcom
glob CLI: Command injection via -c/--cmd executes matches with shell:true High
CVE-2025-64756 was published for glob (npm) Nov 17, 2025
Gyde04 Credited to Gyde04, aisle-research, G-Rath, bchew, qwilr-altonius, llwslc, EinfachHans, skremiec, AlanGreene, and isaacs aisle-research aisle-research
G-Rath G-Rath bchew bchew qwilr-altonius qwilr-altonius llwslc llwslc EinfachHans EinfachHans skremiec skremiec AlanGreene AlanGreene isaacs isaacs
validator.js has a URL validation bypass vulnerability in its isURL function Moderate
CVE-2025-56200 was published for validator (npm) Sep 30, 2025
G-Rath Credited to G-Rath, Moumouls, and aleyipsoftwire Moumouls Moumouls
aleyipsoftwire aleyipsoftwire
min-document vulnerable to prototype pollution Low
CVE-2025-57352 was published for min-document (npm) Sep 24, 2025
G-Rath Credited to G-Rath
Parcel has an Origin Validation Error vulnerability Moderate
CVE-2025-56648 was published for @parcel/reporter-dev-server (npm) Sep 17, 2025
R4356th Credited to R4356th, G-Rath, and Pomax G-Rath G-Rath
Pomax Pomax
guiyi-he Credited to guiyi-he and G-Rath G-Rath G-Rath
Regular Expression Denial of Service (ReDoS) in cross-spawn High
CVE-2024-21538 was published for cross-spawn (npm) Nov 8, 2024
rozeskjm Credited to rozeskjm and G-Rath G-Rath G-Rath
Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled Low
CVE-2024-51755 was published for twig/twig (Composer) Nov 6, 2024
maantje Credited to maantje, nicolas-grekas, and G-Rath nicolas-grekas nicolas-grekas
G-Rath G-Rath
Express Open Redirect vulnerability Low
CVE-2024-9266 was published for express (npm) Oct 3, 2024
m3t3kh4n Credited to m3t3kh4n and G-Rath G-Rath G-Rath
request_store has Incorrect Default Permissions Moderate
CVE-2024-43791 was published for request_store (RubyGems) Aug 23, 2024
G-Rath Credited to G-Rath
urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects Moderate
CVE-2024-37891 was published for urllib3 (pip) Jun 17, 2024
pquentin Credited to pquentin, illia-v, and G-Rath illia-v illia-v
G-Rath G-Rath
Kaminari Insecure File Permissions Vulnerability Moderate
CVE-2024-32978 was published for kaminari (RubyGems) May 28, 2024
G-Rath Credited to G-Rath
ROTP 6.2.2 and 6.2.1 has 0666 permissions for the .rb files. Moderate
CVE-2024-28862 was published for rotp (RubyGems) Mar 18, 2024
G-Rath Credited to G-Rath
NPM IP package incorrectly identifies some private IP addresses as public Low
CVE-2023-42282 was published for ip (npm) Feb 8, 2024
G-Rath Credited to G-Rath, levpachmanov, dotboris, and iFreilicht levpachmanov levpachmanov
dotboris dotboris iFreilicht iFreilicht
semver vulnerable to Regular Expression Denial of Service High
CVE-2022-25883 was published for semver (npm) Jun 21, 2023
mrgrain Credited to mrgrain, G-Rath, and ljharb G-Rath G-Rath
ljharb ljharb
xml2js is vulnerable to prototype pollution Moderate
CVE-2023-0842 was published for xml2js (npm) Apr 5, 2023
nokarin-dev Credited to nokarin-dev, OIRNOIR, simonkrol, 026f4c881aa25897e961f1c86b5ac8_pfghub, and G-Rath OIRNOIR OIRNOIR
simonkrol simonkrol 026f4c881aa25897e961f1c86b5ac8_pfghub 026f4c881aa25897e961f1c86b5ac8_pfghub G-Rath G-Rath
thorsten/phpmyfaq vulnerable to business logic errors High
CVE-2023-1887 was published for thorsten/phpmyfaq (Composer) Apr 5, 2023
G-Rath Credited to G-Rath
Server-Side Request Forgery in Request Moderate
CVE-2023-28155 was published for @cypress/request (npm) Mar 16, 2023
NikoRaisanen Credited to NikoRaisanen and G-Rath G-Rath G-Rath
Possible Denial of Service Vulnerability in Rack's header parsing Low
CVE-2023-27539 was published for rack (RubyGems) Mar 15, 2023
G-Rath Credited to G-Rath
ReDoS Vulnerability in ua-parser-js version High
CVE-2022-25927 was published for ua-parser-js (npm) Jan 24, 2023
G-Rath Credited to G-Rath and timtheguy-bs timtheguy-bs timtheguy-bs
ProTip! Advisories are also available from the GraphQL API