Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

16 advisories

Loading
multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing High
CVE-2026-8162 was published for multiparty (npm) May 18, 2026
ByamB4 Credited to ByamB4, bjohansebas, blakeembrey, and UlisesGascon bjohansebas bjohansebas
blakeembrey blakeembrey UlisesGascon UlisesGascon
multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception High
CVE-2026-8161 was published for multiparty (npm) May 18, 2026
Ser0n-ath Credited to Ser0n-ath, bjohansebas, kq5y, ByamB4, blakeembrey, ljharb, and UlisesGascon bjohansebas bjohansebas
kq5y kq5y ByamB4 ByamB4 blakeembrey blakeembrey ljharb ljharb UlisesGascon UlisesGascon
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection Moderate
CVE-2026-33916 was published for handlebars (npm) Mar 26, 2026
ByamB4 Credited to ByamB4
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching Moderate
CVE-2026-33672 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4, danez, and doowb danez danez
doowb doowb
Picomatch has a ReDoS vulnerability via extglob quantifiers High
CVE-2026-33671 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4, danez, and doowb danez danez
doowb doowb
music-metadata has an infinite loop vulnerability in ASF parser High
CVE-2026-32256 was published for music-metadata (npm) Mar 17, 2026
ByamB4 Credited to ByamB4
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry Moderate
CVE-2026-32630 was published for file-type (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
Locutus vulnerable to RCE via unsanitized input in create_function() Critical
CVE-2026-32304 was published for locutus (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
flatted vulnerable to unbounded recursion DoS in parse() revive phase High
CVE-2026-32141 was published for flatted (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
liquidjs has a path traversal fallback vulnerability High
CVE-2026-30952 was published for liquidjs (npm) Mar 10, 2026
MorielHarush Credited to MorielHarush, ByamB4, and caplanmaor ByamB4 ByamB4
caplanmaor caplanmaor
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) High
CVE-2026-29074 was published for svgo (npm) Mar 4, 2026
ByamB4 Credited to ByamB4 and isaacs isaacs isaacs
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack High
CVE-2026-27601 was published for underscore (npm) Mar 3, 2026
ByamB4 Credited to ByamB4 and jgonggrijp jgonggrijp jgonggrijp
Parse Dashboard is Missing Authorization for its Agent Endpoint Critical
CVE-2026-27608 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza Credited to mtrezza and ByamB4 ByamB4 ByamB4
Parse Dashboard has incomplete authentication on AI Agent endpoint Critical
CVE-2026-27595 was published for parse-dashboard (npm) Feb 25, 2026
ByamB4 Credited to ByamB4 and mtrezza mtrezza mtrezza
OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE Critical
CVE-2026-27574 was published for @oneuptime/common (npm) Feb 24, 2026
ByamB4 Credited to ByamB4
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) High
CVE-2026-26278 was published for fast-xml-parser (npm) Feb 17, 2026
ByamB4 Credited to ByamB4 and yuezk yuezk yuezk
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database