GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,740 advisories
Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance
Moderate
GHSA-5vjq-5jmg-39xq
was published
for
renovate
(npm)
Apr 16, 2026
LangSmith SDK: Streaming token events bypass output redaction
Moderate
GHSA-rr7j-v2q5-chgv
was published
for
langsmith
(npm)
Apr 16, 2026
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Critical
CVE-2026-33808
was published
for
@fastify/express
(npm)
Apr 16, 2026
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Critical
CVE-2026-33807
was published
for
@fastify/express
(npm)
Apr 16, 2026
Fastify's connection header abuse enables stripping of proxy-added headers
Critical
CVE-2026-33805
was published
for
@fastify/http-proxy
(npm)
Apr 16, 2026
Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME
High
GHSA-33r3-4whc-44c2
was published
for
vite-plus
(npm)
Apr 16, 2026
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
Moderate
GHSA-458j-xx4x-4375
was published
for
hono
(npm)
Apr 16, 2026
Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header
High
CVE-2026-33806
was published
for
fastify
(npm)
Apr 15, 2026
Sync-in Server has Username Enumeration via Timing Attack
Moderate
GHSA-43fj-qp3h-hrh5
was published
for
@sync-in/server
(npm)
Apr 15, 2026
Novu has a XSS sanitization bypass
High
GHSA-26wg-9xf2-q495
was published
for
novu/api
(npm)
Apr 14, 2026
Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection
High
GHSA-4x48-cgf9-q33f
was published
for
@novu/api
(npm)
Apr 14, 2026
@vendure/core has a SQL Injection vulnerability
Critical
CVE-2026-40887
was published
for
@vendure/core
(npm)
Apr 14, 2026
MCP Server Kubernetes has an Argument Injection in port_forward tool via space-splitting
High
CVE-2026-39884
was published
for
mcp-server-kubernetes
(npm)
Apr 14, 2026
@adonisjs/http-server has an Open Redirect vulnerability
Moderate
CVE-2026-40255
was published
for
@adonisjs/core
(npm)
Apr 14, 2026
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
Moderate
GHSA-r4q5-vmmm-2653
was published
for
follow-redirects
(npm)
Apr 14, 2026
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
High
CVE-2026-40879
was published
for
@nestjs/microservices
(npm)
Apr 14, 2026
simple-git Affected by Command Execution via Option-Parsing Bypass
High
CVE-2026-28291
was published
for
simple-git
(npm)
Apr 13, 2026
mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes
High
GHSA-jvff-x2qm-6286
was published
for
mathjs
(npm)
Apr 10, 2026
unhead: Streaming SSR `streamKey` injected into inline script without identifier validation
Low
GHSA-x7mm-9vvv-64w8
was published
for
unhead
(npm)
Apr 10, 2026
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
Critical
GHSA-68qg-g8mg-6pr7
was published
for
@paperclipai/server
(npm)
Apr 10, 2026
ProTip!
Advisories are also available from the
GraphQL API