Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,760
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,732 advisories

Loading
NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins Moderate
CVE-2026-40346 was published for @nocobase/plugin-workflow-request (npm) Apr 15, 2026
Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header High
CVE-2026-33806 was published for fastify (npm) Apr 15, 2026
mcollina Credited to mcollina, climba03003, jsumners, and UlisesGascon climba03003 climba03003
jsumners jsumners UlisesGascon UlisesGascon
Sync-in Server has Username Enumeration via Timing Attack Moderate
GHSA-43fj-qp3h-hrh5 was published for @sync-in/server (npm) Apr 15, 2026
ppfeister Credited to ppfeister and 7185 7185 7185
Novu has a XSS sanitization bypass High
GHSA-26wg-9xf2-q495 was published for novu/api (npm) Apr 14, 2026
JorianWoltjer Credited to JorianWoltjer
Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection High
GHSA-4x48-cgf9-q33f was published for @novu/api (npm) Apr 14, 2026
kodareef5 Credited to kodareef5
@vendure/core has a SQL Injection vulnerability Critical
CVE-2026-40887 was published for @vendure/core (npm) Apr 14, 2026
jacobfrantz1 Credited to jacobfrantz1
MCP Server Kubernetes has an Argument Injection in port_forward tool via space-splitting High
CVE-2026-39884 was published for mcp-server-kubernetes (npm) Apr 14, 2026
TharVid Credited to TharVid
@adonisjs/http-server has an Open Redirect vulnerability Moderate
CVE-2026-40255 was published for @adonisjs/core (npm) Apr 14, 2026
thetutlage Credited to thetutlage
MCPHub has an authentication bypass Moderate
CVE-2025-13822 was published for @samanhappy/mcphub (npm) Apr 14, 2026
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets Moderate
GHSA-r4q5-vmmm-2653 was published for follow-redirects (npm) Apr 14, 2026
Den-Sec Credited to Den-Sec
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport) High
CVE-2026-40879 was published for @nestjs/microservices (npm) Apr 14, 2026
hwpark6804-gif Credited to hwpark6804-gif and kamilmysliwiec kamilmysliwiec kamilmysliwiec
SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh High
GHSA-p4h8-56qp-hpgv was published for @aiondadotcom/mcp-ssh (npm) Apr 14, 2026
DbGate has cross site scripting via the SVG Icon String Handler component Low
CVE-2026-6216 was published for dbgate-web (npm) Apr 13, 2026
simple-git Affected by Command Execution via Option-Parsing Bypass High
CVE-2026-28291 was published for simple-git (npm) Apr 13, 2026
JuHwiSang Credited to JuHwiSang and adnanrahim110 adnanrahim110 adnanrahim110
mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes High
GHSA-jvff-x2qm-6286 was published for mathjs (npm) Apr 10, 2026
CykuTW Credited to CykuTW and marado marado marado
unhead: Streaming SSR `streamKey` injected into inline script without identifier validation Low
GHSA-x7mm-9vvv-64w8 was published for unhead (npm) Apr 10, 2026
Jvr2022 Credited to Jvr2022
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass Critical
GHSA-68qg-g8mg-6pr7 was published for @paperclipai/server (npm) Apr 10, 2026
sagilayani Credited to sagilayani
next-intl has an open redirect vulnerability Moderate
CVE-2026-40299 was published for next-intl (npm) Apr 10, 2026
joniumGit Credited to joniumGit
n8n-mcp has unauthenticated session termination and information disclosure in HTTP transport High
GHSA-75hx-xj24-mqrw was published for n8n-mcp (npm) Apr 10, 2026
yotampe-pluto Credited to yotampe-pluto
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands High
GHSA-6v7q-wjvx-w8wg was published for basic-ftp (npm) Apr 10, 2026
offset Credited to offset
LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()` Moderate
CVE-2026-40190 was published for langsmith (npm) Apr 10, 2026
OneThing4101 Credited to OneThing4101
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain Critical
CVE-2026-40175 was published for axios (npm) Apr 10, 2026
raulvdv Credited to raulvdv, SwTan98, and Wenxin-Jiang SwTan98 SwTan98
Wenxin-Jiang Wenxin-Jiang
@saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler Low
GHSA-59xv-588h-2vmm was published for @saltcorn/data (npm) Apr 10, 2026
zulloper Credited to zulloper
Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read High
CVE-2026-40163 was published for @saltcorn/server (npm) Apr 10, 2026
axel-corsiez Credited to axel-corsiez
@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service Moderate
CVE-2026-40074 was published for @sveltejs/kit (npm) Apr 10, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database