GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
6,791 advisories
Filter by severity
SafeInstall agent guard shell parsing can miss raw package execution
High
GHSA-xrmc-c5cg-rv7x
was published
for
safeinstall-cli
(npm)
Jul 10, 2026
DesktopCommanderMCP is vulnerable to SSRF
Low
CVE-2026-10690
was published
for
@wonderwhy-er/desktop-commander
(npm)
Jun 3, 2026
DesktopCommanderMCP is vulnerable to Uncontrolled Resource Consumption
Low
CVE-2026-10691
was published
for
@wonderwhy-er/desktop-commander
(npm)
Jun 3, 2026
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies
Moderate
CVE-2026-49977
was published
for
tarteaucitronjs
(npm)
Jul 10, 2026
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays
High
CVE-2026-49866
was published
for
@libp2p/gossipsub
(npm)
Jul 10, 2026
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Moderate
CVE-2026-5078
was published
for
morgan
(npm)
Jul 10, 2026
ws: Memory exhaustion DoS from tiny fragments and data chunks
High
CVE-2026-48779
was published
for
ws
(npm)
Jun 15, 2026
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
High
CVE-2026-45617
was published
for
liquidjs
(npm)
May 27, 2026
LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)
High
CVE-2026-45357
was published
for
liquidjs
(npm)
May 27, 2026
LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
Moderate
CVE-2026-44646
was published
for
liquidjs
(npm)
May 27, 2026
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
Moderate
CVE-2026-44645
was published
for
liquidjs
(npm)
May 27, 2026
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
Moderate
CVE-2026-44644
was published
for
liquidjs
(npm)
May 27, 2026
Potential XSS vulnerability in jQuery
Moderate
CVE-2020-11022
was published
for
athlon1600/youtube-downloader
(RubyGems)
Apr 29, 2020
axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
High
CVE-2026-44492
was published
for
axios
(npm)
May 29, 2026
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
Moderate
GHSA-382c-vx95-w3p5
was published
for
@jsonbored/gittensory-mcp
(npm)
Jul 9, 2026
Claw Orchestrator has inefficient regular expression complexity via validateRegex()
Moderate
CVE-2026-10291
was published
for
@enderfga/claw-orchestrator
(npm)
Jun 2, 2026
Claw Orchestrator is missing authentication for the component API Endpoint
Moderate
CVE-2026-10281
was published
for
@enderfga/claw-orchestrator
(npm)
Jun 1, 2026
Waku has an Open Redirect via `unstable_redirect` Helper
Low
CVE-2026-49456
was published
for
waku
(npm)
Jul 8, 2026
Waku: Cross-Origin CSRF on RSC Server Action Dispatch
Moderate
CVE-2026-49455
was published
for
waku
(npm)
Jul 8, 2026
n8n: Credential Exfiltration via Permission Bypass
High
CVE-2026-54307
was published
for
n8n
(npm)
Jun 16, 2026
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
High
CVE-2026-42089
was published
for
yeoman-environment
(npm)
May 26, 2026
Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP
High
CVE-2026-47684
was published
for
@sync-in/server
(npm)
Jun 5, 2026
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
High
CVE-2026-48017
was published
for
dbgate-api
(npm)
Jun 5, 2026
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Moderate
CVE-2026-47200
was published
for
@nuxt/nitro-server
(npm)
May 29, 2026
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Low
CVE-2026-46342
was published
for
@nuxt/nitro-server
(npm)
May 19, 2026
ProTip!
Advisories are also available from the
GraphQL API