Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

579 advisories

Loading
axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge High
CVE-2026-44495 was published for axios (npm) May 29, 2026
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` High
CVE-2026-44494 was published for axios (npm) May 29, 2026
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions Moderate
CVE-2026-44490 was published for axios (npm) May 29, 2026
Tal-Gav Credited to Tal-Gav
Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix Low
CVE-2026-44489 was published for axios (npm) May 29, 2026
@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty High
CVE-2026-46681 was published for @nevware21/ts-utils (npm) May 21, 2026
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection High
CVE-2026-46625 was published for js-cookie (npm) May 21, 2026
teebow1e Credited to teebow1e
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not... Moderate Unreviewed
CVE-2026-9101 was published May 20, 2026
multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception High
CVE-2026-8161 was published for multiparty (npm) May 18, 2026
Ser0n-ath Credited to Ser0n-ath, bjohansebas, kq5y, ByamB4, blakeembrey, ljharb, and UlisesGascon bjohansebas bjohansebas
kq5y kq5y ByamB4 ByamB4 blakeembrey blakeembrey ljharb ljharb UlisesGascon UlisesGascon
@tmlmobilidade/utils has prototype pollution in its setValueAtPath High
CVE-2026-45325 was published for @tmlmobilidade/utils (npm) May 18, 2026
0xBassia Credited to 0xBassia
parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names High
CVE-2026-45302 was published for parse-nested-form-data (npm) May 18, 2026
0xBassia Credited to 0xBassia
form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys High
CVE-2026-46510 was published for form-data-objectizer (npm) May 18, 2026
0xBassia Credited to 0xBassia
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the... High Unreviewed
CVE-2026-8657 was published May 16, 2026
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @ranfdev/deepobj High
CVE-2026-46509 was published for @ranfdev/deepobj (npm) May 14, 2026
0xBassia Credited to 0xBassia
n8n Has an XML Node Prototype Pollution Patch Bypass Critical
CVE-2026-44791 was published for n8n (npm) May 14, 2026
simonkoeck Credited to simonkoeck
n8n: HTTP Request Node Pagination Prototype Pollution to RCE Critical
CVE-2026-44789 was published for n8n (npm) May 14, 2026
sm1ee Credited to sm1ee
protobuf.js: Prototype injection in generated message constructors Moderate
CVE-2026-44292 was published for protobufjs (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
protobuf.js: Code generation gadget after prototype pollution High
CVE-2026-44291 was published for protobufjs (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
protobuf.js: Process-wide denial of service through unsafe option paths High
CVE-2026-44290 was published for protobufjs (npm) May 12, 2026
AKiileX Credited to AKiileX, VladimirEliTokarev, and dcodeIO VladimirEliTokarev VladimirEliTokarev
dcodeIO dcodeIO
@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function High
GHSA-mhwj-73qx-jqxm was published for @theecryptochad/merge-guard (npm) May 11, 2026
TheeCryptoChad Credited to TheeCryptoChad
@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data) High
CVE-2026-44483 was published for @rvf/set-get (npm) May 11, 2026
0xBassia Credited to 0xBassia
Velocity.js has a Prototype Pollution vulnerability through #set path assignment High
CVE-2026-44966 was published for velocityjs (npm) May 9, 2026
yumarun Credited to yumarun
query-parser-string is vulnerable to Prototype Pollution Critical
CVE-2025-63704 was published for query-string-parser (npm) May 7, 2026
parse-ini is vulnerable to Prototype Pollution in index.js() Critical
CVE-2025-63703 was published for parse-ini (npm) May 7, 2026
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape Critical
CVE-2026-44005 was published for vm2 (npm) May 7, 2026
hongancalif Credited to hongancalif
next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys Moderate
GHSA-4c35-wcg5-mm9h was published for next-intl (npm) May 6, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database