GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
40 advisories
Filter by severity
http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass
Moderate
CVE-2026-55602
was published
for
http-proxy-middleware
(npm)
Jun 18, 2026
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases
Moderate
CVE-2026-53550
was published
for
js-yaml
(npm)
Jun 15, 2026
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
High
CVE-2026-26996
was published
for
minimatch
(npm)
Feb 18, 2026
ajv has ReDoS when using `$data` option
Moderate
CVE-2025-69873
was published
for
ajv
(npm)
Feb 11, 2026
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
Low
CVE-2026-24001
was published
for
diff
(npm)
Jan 14, 2026
glob CLI: Command injection via -c/--cmd executes matches with shell:true
High
CVE-2025-64756
was published
for
glob
(npm)
Nov 17, 2025
validator.js has a URL validation bypass vulnerability in its isURL function
Moderate
CVE-2025-56200
was published
for
validator
(npm)
Sep 30, 2025
min-document vulnerable to prototype pollution
Low
CVE-2025-57352
was published
for
min-document
(npm)
Sep 24, 2025
Parcel has an Origin Validation Error vulnerability
Moderate
CVE-2025-56648
was published
for
@parcel/reporter-dev-server
(npm)
Sep 17, 2025
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Moderate
CVE-2025-25285
was published
for
@octokit/endpoint
(npm)
Feb 14, 2025
Regular Expression Denial of Service (ReDoS) in cross-spawn
High
CVE-2024-21538
was published
for
cross-spawn
(npm)
Nov 8, 2024
NPM IP package incorrectly identifies some private IP addresses as public
Low
CVE-2023-42282
was published
for
ip
(npm)
Feb 8, 2024
semver vulnerable to Regular Expression Denial of Service
High
CVE-2022-25883
was published
for
semver
(npm)
Jun 21, 2023
xml2js is vulnerable to prototype pollution
Moderate
CVE-2023-0842
was published
for
xml2js
(npm)
Apr 5, 2023
Server-Side Request Forgery in Request
Moderate
CVE-2023-28155
was published
for
@cypress/request
(npm)
Mar 16, 2023
ReDoS Vulnerability in ua-parser-js version
High
CVE-2022-25927
was published
for
ua-parser-js
(npm)
Jan 24, 2023
decode-uri-component vulnerable to Denial of Service (DoS)
High
CVE-2022-38900
was published
for
decode-uri-component
(npm)
Nov 28, 2022
Uncaught exception in engine.io
Moderate
CVE-2022-41940
was published
for
engine.io
(npm)
Nov 21, 2022
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
High
CVE-2022-37599
was published
for
loader-utils
(npm)
Oct 12, 2022
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url
Critical
CVE-2022-2900
was published
for
parse-url
(npm)
Sep 15, 2022
Regular expression denial of service in scss-tokenizer
High
CVE-2022-25758
was published
for
scss-tokenizer
(npm)
Jul 2, 2022
Infinite loop causing Denial of Service in colors
High
GHSA-5rqg-jm4f-cqx7
was published
for
Colors
(npm)
Jan 10, 2022
Regular Expression Denial of Service (ReDoS) in lodash
Moderate
CVE-2020-28500
was published
for
lodash
(RubyGems)
Jan 6, 2022
ProTip!
Advisories are also available from the
GraphQL API