Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,883
Maven
5,000+
npm
4,522
NuGet
785
pip
4,262
Pub
12
RubyGems
975
Rust
1,105
Swift
49
Unreviewed advisories
All unreviewed
5,000+

4,523 advisories

Loading
html2pdf.js contains a cross-site scripting vulnerability High
CVE-2026-22787 was published for html2pdf.js (npm) Jan 14, 2026
aydinnyunus eKoopmans
Credited to aydinnyunus and eKoopmans
enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain Critical
CVE-2026-22686 was published for enclave-vm (npm) Jan 14, 2026
Outray cli is vulnerable to race conditions in tunnels creation Moderate
CVE-2026-22820 was published for outray (npm) Jan 13, 2026
gr33pp SENSEiXENUS
Credited to gr33pp and SENSEiXENUS
Outray has a Race Condition in the cli's webapp Moderate
CVE-2026-22819 was published for outray (npm) Jan 13, 2026
SENSEiXENUS gr33pp
Credited to SENSEiXENUS and gr33pp
Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback) High
CVE-2026-22818 was published for hono (npm) Jan 13, 2026
calloc134 devanshbatham
Credited to calloc134 and devanshbatham
Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass High
CVE-2026-22817 was published for hono (npm) Jan 13, 2026
calloc134 devanshbatham
Credited to calloc134 and devanshbatham
Quill is vulnerable to XSS via HTML export feature Low
CVE-2025-15056 was published for quill (npm) Jan 13, 2026
Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State High
CVE-2026-22814 was published for @adonisjs/lucid (npm) Jan 13, 2026
wodzen
Credited to wodzen
Malicious website can execute commands on the local system through XSS in the OpenCode web UI Critical
CVE-2026-22813 was published for opencode-ai (npm) Jan 13, 2026
AlbertSPedersen
Credited to AlbertSPedersen
tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability Moderate
CVE-2026-22809 was published for tarteaucitronjs (npm) Jan 13, 2026
Yasha-ops
Credited to Yasha-ops
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution High
CVE-2026-22812 was published for opencode-ai (npm) Jan 13, 2026
CyberShadow
Credited to CyberShadow
Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file Moderate
GHSA-3f44-xw83-3pmg was published for renovate (npm) Jan 13, 2026
astellingwerf
Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via gleam manager and malicious gleam.toml file Moderate
GHSA-xjr7-3c3g-m763 was published for renovate (npm) Jan 13, 2026
astellingwerf
Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies Moderate
GHSA-36j9-mx87-2cff was published for renovate (npm) Jan 13, 2026
astellingwerf
Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via npm manager and malicious Renovate configuration Moderate
GHSA-fr4j-65pv-gjjj was published for renovate (npm) Jan 13, 2026
astellingwerf
Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository Moderate
GHSA-xv56-3wq5-9997 was published for renovate (npm) Jan 13, 2026
astellingwerf
Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious `distributionUrl` Moderate
GHSA-pfq2-hh62-7m96 was published for renovate (npm) Jan 13, 2026
y4rvin
Credited to y4rvin
orval MCP client is vulnerable to a code injection attack. Critical
CVE-2026-22785 was published for @orval/mcp (npm) Jan 13, 2026
nirhaas
Credited to nirhaas
HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover High
CVE-2026-22704 was published for @haxtheweb/haxcms-nodejs (npm) Jan 13, 2026
August829
Credited to August829
n8n: Webhook Node IP Whitelist Bypass via Partial String Matching Moderate
CVE-2025-68949 was published for n8n (npm) Jan 13, 2026
berkdedekarginoglu
Credited to berkdedekarginoglu
QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting Low
CVE-2026-0824 was published for @questdb/web-console (npm) Jan 10, 2026
Angular has XSS Vulnerability via Unsanitized SVG Script Attributes High
CVE-2026-22610 was published for @angular/compiler (npm) Jan 9, 2026
alan-agius4 josephperrott
AndrewKushnir jelbourn hybrist ShelbyKelley gkalpak
Credited to alan-agius4, josephperrott, AndrewKushnir, jelbourn, hybrist, ShelbyKelley, and gkalpak
JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3 Low
GHSA-j965-2qgj-vjmq was published for aws-sdk (npm) Jan 8, 2026
AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value Low
GHSA-6475-r3vj-m8vf was published for @smithy/config-resolver (npm) Jan 8, 2026
Ghost has SQL Injection in Members Activity Feed Moderate
CVE-2026-22596 was published for ghost (npm) Jan 8, 2026
odgrso
Credited to odgrso
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database