Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

6,042 advisories

Loading
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening High
GHSA-j7h9-2jh7-g967 was published for mcp-ssh-tool (npm) May 7, 2026
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect) Low
CVE-2026-44589 was published for nuxt-og-image (npm) May 7, 2026
b-hermes Credited to b-hermes
Compromised version of intercom-client published to npm Critical
GHSA-54pg-9963-v8vg was published for intercom-client (npm) May 7, 2026
Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker High
CVE-2026-42553 was published for cinny (npm) May 7, 2026
Quasar0147 Credited to Quasar0147
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution Critical
CVE-2026-44007 was published for vm2 (npm) May 7, 2026
akshatgit Credited to akshatgit
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS) High
CVE-2026-44001 was published for vm2 (npm) May 7, 2026
koDove Credited to koDove
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape Critical
CVE-2026-43999 was published for vm2 (npm) May 7, 2026
bugbunny-research Credited to bugbunny-research
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape Critical
CVE-2026-44005 was published for vm2 (npm) May 7, 2026
hongancalif Credited to hongancalif
vm2 Access to Host Object Enables Sandbox Escape Critical
CVE-2026-43997 was published for vm2 (npm) May 7, 2026
c0rydoras Credited to c0rydoras
vm2 has a Sandbox Escape Vulnerability Critical
CVE-2026-44006 was published for vm2 (npm) May 7, 2026
c0rydoras Credited to c0rydoras
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect High
CVE-2026-44503 was published for Microsoft.Kiota.Abstractions (Go) May 7, 2026
MIchaelMainer Credited to MIchaelMainer
Vercel: Non-interactive mode includes CLI arguments in suggested command output Moderate
CVE-2026-44479 was published for vercel (npm) May 7, 2026
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests Moderate
CVE-2026-44456 was published for hono (npm) May 6, 2026
lalalala5678 Credited to lalalala5678 and Jvr2022 Jvr2022 Jvr2022
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection Moderate
CVE-2026-44455 was published for hono (npm) May 6, 2026
TarPeg007 Credited to TarPeg007
Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix Moderate
CVE-2026-44437 was published for @angular/ssr (npm) May 6, 2026
kimkou2024 Credited to kimkou2024, alan-agius4, dgp1130, and AndrewKushnir alan-agius4 alan-agius4
dgp1130 dgp1130 AndrewKushnir AndrewKushnir
@axonflow/openclaw fix introduces plugin cache and credential-file permission hardening Moderate
GHSA-cqmh-pcgr-q42f was published for @axonflow/openclaw (npm) May 6, 2026
axonflow-sdk-typescript: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-mph8-9v29-pm42 was published for @axonflow/sdk (npm) May 6, 2026
Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks Moderate
CVE-2026-44374 was published for @backstage/plugin-catalog-backend-module-unprocessed (npm) May 6, 2026
Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules Moderate
CVE-2026-44372 was published for nitro (npm) May 6, 2026
0x0OZ Credited to 0x0OZ
Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules` Moderate
CVE-2026-44373 was published for nitro (npm) May 6, 2026
mHe4am Credited to mHe4am
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver Critical
CVE-2026-44351 was published for fast-jwt (npm) May 6, 2026
bhaswanthc Credited to bhaswanthc and SociableSteve SociableSteve SociableSteve
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering High
CVE-2026-44240 was published for basic-ftp (npm) May 6, 2026
thesmartshadow Credited to thesmartshadow
dssrf: every IPv6 category bypasses is_url_safe High
CVE-2026-44232 was published for dssrf (npm) May 6, 2026
b-hermes Credited to b-hermes and HackingRepo HackingRepo HackingRepo
next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys Moderate
GHSA-4c35-wcg5-mm9h was published for next-intl (npm) May 6, 2026
offset Credited to offset
mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true` Low
GHSA-r27j-894h-3w3p was published for icu-minify (npm) May 6, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database