GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
17 advisories
Filter by severity
code-server vulnerable to Missing Origin Validation in WebSockets
Critical
CVE-2023-26114
was published
for
code-server
(npm)
Mar 23, 2023
Unintentional leakage of private information via cross-origin websocket session hijacking
Moderate
CVE-2023-2850
was published
for
nodebb
(npm)
Jul 25, 2023
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
Critical
CVE-2025-24964
was published
for
vitest
(npm)
Feb 4, 2025
Websites were able to send any requests to the development server and read the response in vite
Moderate
CVE-2025-24010
was published
for
vite
(npm)
Jan 21, 2025
Information exposure in Next.js dev server due to lack of origin verification
Low
CVE-2025-48068
was published
for
next
(npm)
May 28, 2025
Claude Code Improper Authorization via websocket connections from arbitrary origins
High
CVE-2025-52882
was published
for
@anthropic-ai/claude-code
(npm)
Jun 23, 2025
Komari vulnerable to Cross-site WebSocket Hijacking
High
GHSA-q355-h244-969h
was published
for
github.com/komari-monitor/komari
(Go)
Aug 12, 2025
Apache Zeppelin: Missing Origin Validation in WebSockets vulnerability
Moderate
CVE-2024-51775
was published
for
org.apache.zeppelin:zeppelin-shell
(Maven)
Aug 3, 2025
Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API
High
CVE-2025-54289
was published
for
github.com/canonical/lxd
(Go)
Oct 2, 2025
Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails
Moderate
CVE-2026-22689
was published
for
github.com/axllent/mailpit
(Go)
Jan 13, 2026
Bokeh server applications have Incomplete Origin Validation in WebSockets
Moderate
CVE-2026-21883
was published
for
bokeh
(pip)
Jan 6, 2026
@farmfe/core is Missing Origin Validation in WebSocket
Moderate
CVE-2025-56647
was published
for
@farmfe/core
(npm)
Feb 12, 2026
Storybook Dev Server is Vulnerable to WebSocket Hijacking
High
CVE-2026-27148
was published
for
storybook
(npm)
Feb 26, 2026
Next.js: null origin can bypass dev HMR websocket CSRF checks
Low
CVE-2026-27977
was published
for
next
(npm)
Mar 17, 2026
Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints
High
CVE-2026-34403
was published
for
github.com/0xJacky/Nginx-UI
(Go)
Apr 21, 2026
Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users
Moderate
CVE-2026-44514
was published
for
github.com/kubetail-org/kubetail/modules/cli
(Go)
May 7, 2026
Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability
Critical
CVE-2026-44211
was published
for
cline
(npm)
May 8, 2026
ProTip!
Advisories are also available from the
GraphQL API