GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,740 advisories
Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance
Moderate
GHSA-5vjq-5jmg-39xq
was published
for
renovate
(npm)
Apr 16, 2026
LangSmith SDK: Streaming token events bypass output redaction
Moderate
GHSA-rr7j-v2q5-chgv
was published
for
langsmith
(npm)
Apr 16, 2026
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Critical
CVE-2026-33808
was published
for
@fastify/express
(npm)
Apr 16, 2026
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Critical
CVE-2026-33807
was published
for
@fastify/express
(npm)
Apr 16, 2026
Fastify's connection header abuse enables stripping of proxy-added headers
Critical
CVE-2026-33805
was published
for
@fastify/http-proxy
(npm)
Apr 16, 2026
Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME
High
GHSA-33r3-4whc-44c2
was published
for
vite-plus
(npm)
Apr 16, 2026
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
Moderate
GHSA-458j-xx4x-4375
was published
for
hono
(npm)
Apr 16, 2026
@vendure/core has a SQL Injection vulnerability
Critical
CVE-2026-40887
was published
for
@vendure/core
(npm)
Apr 14, 2026
MCP Server Kubernetes has an Argument Injection in port_forward tool via space-splitting
High
CVE-2026-39884
was published
for
mcp-server-kubernetes
(npm)
Apr 14, 2026
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Moderate
CVE-2026-39381
was published
for
parse-server
(npm)
Apr 8, 2026
Parse Server has a login timing side-channel reveals user existence
Moderate
CVE-2026-39321
was published
for
parse-server
(npm)
Apr 8, 2026
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
High
CVE-2026-40879
was published
for
@nestjs/microservices
(npm)
Apr 14, 2026
@adonisjs/http-server has an Open Redirect vulnerability
Moderate
CVE-2026-40255
was published
for
@adonisjs/core
(npm)
Apr 14, 2026
OpenClaw may have stale policy enforcement for queued node actions
Low
CVE-2026-35648
was published
for
openclaw
(npm)
Mar 26, 2026
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
Critical
GHSA-68qg-g8mg-6pr7
was published
for
@paperclipai/server
(npm)
Apr 10, 2026
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
Critical
CVE-2025-62718
was published
for
axios
(npm)
Apr 9, 2026
Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header
High
CVE-2026-33806
was published
for
fastify
(npm)
Apr 15, 2026
Sync-in Server has Username Enumeration via Timing Attack
Moderate
GHSA-43fj-qp3h-hrh5
was published
for
@sync-in/server
(npm)
Apr 15, 2026
Novu has a XSS sanitization bypass
High
GHSA-26wg-9xf2-q495
was published
for
novu/api
(npm)
Apr 14, 2026
Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection
High
GHSA-4x48-cgf9-q33f
was published
for
@novu/api
(npm)
Apr 14, 2026
ProTip!
Advisories are also available from the
GraphQL API