GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,648 advisories
Filter by severity
Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges
High
CVE-2026-50131
was published
for
@fedify/fedify
(npm)
Jul 14, 2026
ws: Memory exhaustion DoS from tiny fragments and data chunks
High
CVE-2026-48779
was published
for
ws
(npm)
Jun 15, 2026
SafeInstall agent guard shell parsing can miss raw package execution
High
GHSA-xrmc-c5cg-rv7x
was published
for
safeinstall-cli
(npm)
Jul 10, 2026
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays
High
CVE-2026-49866
was published
for
@libp2p/gossipsub
(npm)
Jul 10, 2026
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
High
CVE-2026-45617
was published
for
liquidjs
(npm)
May 27, 2026
LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)
High
CVE-2026-45357
was published
for
liquidjs
(npm)
May 27, 2026
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
High
CVE-2026-44492
was published
for
axios
(npm)
May 29, 2026
n8n: Credential Exfiltration via Permission Bypass
High
CVE-2026-54307
was published
for
n8n
(npm)
Jun 16, 2026
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
High
CVE-2026-42089
was published
for
yeoman-environment
(npm)
May 26, 2026
Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP
High
CVE-2026-47684
was published
for
@sync-in/server
(npm)
Jun 5, 2026
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
High
CVE-2026-48017
was published
for
dbgate-api
(npm)
Jun 5, 2026
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers
High
GHSA-j8v8-g9cx-5qf4
was published
for
@better-auth/scim
(npm)
Jul 7, 2026
@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
High
CVE-2026-53518
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
High
CVE-2026-53517
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default
High
GHSA-9h47-pqcx-hjr4
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp
High
GHSA-86j7-9j95-vpqj
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
High
CVE-2026-53516
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
High
CVE-2026-53514
was published
for
better-auth
(npm)
Jul 7, 2026
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes
High
CVE-2026-47759
was published
for
TinyMCE
(Composer)
Jun 5, 2026
FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
High
CVE-2026-46479
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
High
CVE-2026-46478
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
High
CVE-2026-46477
was published
for
flowise
(npm)
May 14, 2026
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
High
CVE-2026-55501
was published
for
9router
(npm)
Jul 6, 2026
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
High
CVE-2026-49353
was published
for
9router
(npm)
Jul 2, 2026
OpenClaw: QQBot native approval buttons did not enforce configured approver identity
High
CVE-2026-35630
was published
for
openclaw
(npm)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API