Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,723
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,947
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

555 advisories

Loading
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape Critical
CVE-2026-44005 was published for vm2 (npm) May 7, 2026
hongancalif Credited to hongancalif
next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys Moderate
GHSA-4c35-wcg5-mm9h was published for next-intl (npm) May 6, 2026
offset Credited to offset
mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true` Low
GHSA-r27j-894h-3w3p was published for icu-minify (npm) May 6, 2026
offset Credited to offset
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking High
CVE-2026-42033 was published for axios (npm) May 5, 2026
dolevmiz1 Credited to dolevmiz1
Axios: Header Injection via Prototype Pollution High
CVE-2026-42035 was published for axios (npm) May 5, 2026
raulvdv Credited to raulvdv
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy Moderate
CVE-2026-42041 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` Moderate
CVE-2026-42044 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking High
CVE-2026-42264 was published for axios (npm) May 5, 2026
bulmax9797-sketch Credited to bulmax9797-sketch
n8n has XML Node Prototype Pollution that to RCE Critical
CVE-2026-42232 was published for n8n (npm) Apr 29, 2026
simonkoeck Credited to simonkoeck
n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE Critical
CVE-2026-42231 was published for n8n (npm) Apr 29, 2026
a-tallat Credited to a-tallat
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations Moderate
CVE-2026-42077 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters High
CVE-2026-41690 was published for i18next-http-middleware (npm) Apr 22, 2026
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback Moderate
CVE-2026-41238 was published for dompurify (npm) Apr 22, 2026
trace37labs Credited to trace37labs
Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization Moderate
CVE-2026-6594 was published for @brikcss/merge (npm) Apr 20, 2026
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution Moderate
CVE-2026-5758 was published for protocol-buffers-schema (npm) Apr 15, 2026
Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an... High Unreviewed
CVE-2026-34622 was published Apr 14, 2026
Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an... Moderate Unreviewed
CVE-2026-34626 was published Apr 14, 2026
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly... Critical Unreviewed
CVE-2026-34621 was published Apr 11, 2026
LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()` Moderate
CVE-2026-40190 was published for langsmith (npm) Apr 10, 2026
OneThing4101 Credited to OneThing4101
defu: Prototype pollution via `__proto__` key in defaults argument High
CVE-2026-35209 was published for defu (npm) Apr 4, 2026
BlackHatExploitation Credited to BlackHatExploitation and kricsleo kricsleo kricsleo
@stablelib/cbor: Prototype poisoning via `__proto__` map keys in CBOR decoding High
GHSA-w48f-fwg7-ww6p was published for @stablelib/cbor (npm) Apr 4, 2026
Jvr2022 Credited to Jvr2022
DOMPurify USE_PROFILES prototype pollution allows event handlers Moderate
GHSA-cj63-jhhr-wcxv was published for dompurify (npm) Apr 3, 2026
christos-eth Credited to christos-eth
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` Moderate
CVE-2026-2950 was published for lodash (npm) Apr 1, 2026
Haruna38 Credited to Haruna38, shpik-kr, maru1009, ott3r07, zolbooo, backuardo, falsyvalues, jonchurch, jdalton, and UlisesGascon shpik-kr shpik-kr
maru1009 maru1009 ott3r07 ott3r07 zolbooo zolbooo backuardo backuardo falsyvalues falsyvalues jonchurch jonchurch jdalton jdalton UlisesGascon UlisesGascon
MikroORM has Prototype Pollution in Utils.merge High
CVE-2026-34221 was published for @mikro-orm/core (npm) Mar 29, 2026
lukas-eu Credited to lukas-eu
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry Moderate
GHSA-7rx3-28cr-v5wh was published for handlebars (npm) Mar 29, 2026
TinkAnet Credited to TinkAnet
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database