Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

6,516 advisories

Loading
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies Moderate
CVE-2026-9595 was published for webpack-dev-server (npm) Jun 17, 2026
bjohansebas Credited to bjohansebas and UlisesGascon UlisesGascon UlisesGascon
Multer vulnerable to Denial of Service via deeply nested field names High
CVE-2026-5079 was published for multer (npm) Jun 17, 2026
tndud042713 Credited to tndud042713, UlisesGascon, and bjohansebas UlisesGascon UlisesGascon
bjohansebas bjohansebas
Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads Moderate
CVE-2026-5038 was published for multer (npm) Jun 17, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, HamdaanAliQuatil, fasrm, UlisesGascon, bjohansebas, 0xStraw-Hat, bhaswanthc, ByamB4, sbouabid-sec, DavidCarliez, and JebeenLee HamdaanAliQuatil HamdaanAliQuatil
fasrm fasrm UlisesGascon UlisesGascon bjohansebas bjohansebas 0xStraw-Hat 0xStraw-Hat bhaswanthc bhaswanthc ByamB4 ByamB4 sbouabid-sec sbouabid-sec DavidCarliez DavidCarliez JebeenLee JebeenLee
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch Moderate
CVE-2026-54316 was published for @anthropic-ai/claude-code (npm) Jun 17, 2026
OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin High
CVE-2026-53840 was published for openclaw (npm) Jun 17, 2026
YLChen-007 Credited to YLChen-007
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint Moderate
CVE-2026-53931 was published for nocodb (npm) Jun 17, 2026
p- Credited to p-
NocoDB: Server-Side Request Forgery via Base Migration URL Moderate
CVE-2026-53930 was published for nocodb (npm) Jun 17, 2026
TREXNEGRO Credited to TREXNEGRO
NocoDB: Stored Cross-Site Scripting via Secure Attachment Moderate
CVE-2026-53929 was published for nocodb (npm) Jun 17, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Refresh Tokens Persist Through Password Recovery Moderate
CVE-2026-53928 was published for nocodb (npm) Jun 17, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL Moderate
CVE-2026-53927 was published for nocodb (npm) Jun 17, 2026
TREXNEGRO Credited to TREXNEGRO
Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory Moderate
CVE-2026-53765 was published for chrome-devtools-mcp (npm) Jun 17, 2026
enable7997 Credited to enable7997
n8n: Wrong OAuth Scope on Evaluation Test Runs Endpoints Moderate
GHSA-664h-gpgq-h6xx was published for n8n (npm) Jun 17, 2026
YLChen-007 Credited to YLChen-007
Pi Agent: Pi loads project-local extensions without approval Moderate
CVE-2026-54325 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
qerogram Credited to qerogram, urianpaul94, EQSTLab, kamalmarhubi, and useworld urianpaul94 urianpaul94
EQSTLab EQSTLab kamalmarhubi kamalmarhubi useworld useworld
Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts High
CVE-2026-54328 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
urianpaul94 Credited to urianpaul94
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials Low
CVE-2026-54327 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
urianpaul94 Credited to urianpaul94
Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass Low
CVE-2026-54326 was published for @earendil-works/pi-coding-agent (npm) Jun 16, 2026
urianpaul94 Credited to urianpaul94
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g) Moderate
CVE-2026-49993 was published for @nuxt/rspack-builder (npm) Jun 16, 2026
Uhudsavasindankacanokcu2 Credited to Uhudsavasindankacanokcu2 and DavidCarliez DavidCarliez DavidCarliez
Cross-site scripting via <NoScript> slot content in Nuxt's head components Low
GHSA-m3q2-p4fw-w38m was published for nuxt (npm) Jun 16, 2026
alcls01111 Credited to alcls01111
n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host High
CVE-2026-54304 was published for n8n (npm) Jun 16, 2026
34selen Credited to 34selen
n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions High
CVE-2026-54309 was published for n8n (npm) Jun 16, 2026
ESPanda666 Credited to ESPanda666
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints High
CVE-2026-54305 was published for n8n (npm) Jun 16, 2026
Solidscripting Credited to Solidscripting
n8n: Credential Exfiltration via Permission Bypass High
CVE-2026-54307 was published for n8n (npm) Jun 16, 2026
n8n: Denial of Service via ZIP decompression in webhook workflow Moderate
CVE-2026-54314 was published for n8n (npm) Jun 16, 2026
n8n: Public API Execution Retry Authorization Bypass Moderate
GHSA-h3jj-5f3v-3685 was published for n8n (npm) Jun 16, 2026
ksw9722 Credited to ksw9722
n8n: Python Code Node AST Validator Bypass Moderate
GHSA-jwm3-qcfw-c5pp was published for n8n (npm) Jun 16, 2026
Mistz1 Credited to Mistz1
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database