Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,266 advisories

Loading
Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys Critical
CVE-2026-45321 was published for @tanstack/arktype-adapter (npm) May 12, 2026
ashishkurmi Credited to ashishkurmi
SandboxJS has a sandbox escape via Function.caller leakage of internal call op Critical
CVE-2026-43898 was published for @nyariv/sandboxjs (npm) May 11, 2026
Macabely Credited to Macabely
WebdriverIO BrowserStack Service has a Command Injection issue Critical
CVE-2026-25244 was published for @wdio/browserstack-service (npm) May 11, 2026
hayageek Credited to hayageek
Angular Expressions - Remote Code Execution using filters Critical
CVE-2026-44643 was published for angular-expressions (npm) May 11, 2026
@profullstack/mcp-server vulnerable to OS Command Injection in domain_lookup Module Critical
GHSA-v6wj-c83f-v46x was published for @profullstack/mcp-server (npm) May 9, 2026
232-323 Credited to 232-323
Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability Critical
CVE-2026-44211 was published for cline (npm) May 8, 2026
sagilayani Credited to sagilayani
Electerm users can run dangrous code through link or command line Critical
CVE-2026-43944 was published for electerm (npm) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Electerm runWidget has a path traversal that leads to arbitrary code execution Critical
CVE-2026-43940 was published for electerm (npm) May 8, 2026
osageling Credited to osageling
vm2 has Sandbox Breakout Through Null Proto Exception Critical
CVE-2026-44009 was published for vm2 (npm) May 8, 2026
XmiliaH Credited to XmiliaH
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch` Critical
CVE-2026-44008 was published for vm2 (npm) May 8, 2026
XmiliaH Credited to XmiliaH
query-parser-string is vulnerable to Prototype Pollution Critical
CVE-2025-63704 was published for query-string-parser (npm) May 7, 2026
parse-ini is vulnerable to Prototype Pollution in index.js() Critical
CVE-2025-63703 was published for parse-ini (npm) May 7, 2026
Compromised version of intercom-client published to npm Critical
GHSA-54pg-9963-v8vg was published for intercom-client (npm) May 7, 2026
next-npm-version is vulnerable to Command injection Critical
CVE-2025-63706 was published for @jswork/next-npm-version (npm) May 7, 2026
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution Critical
CVE-2026-44007 was published for vm2 (npm) May 7, 2026
akshatgit Credited to akshatgit
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape Critical
CVE-2026-43999 was published for vm2 (npm) May 7, 2026
bugbunny-research Credited to bugbunny-research
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape Critical
CVE-2026-44005 was published for vm2 (npm) May 7, 2026
hongancalif Credited to hongancalif
vm2 Access to Host Object Enables Sandbox Escape Critical
CVE-2026-43997 was published for vm2 (npm) May 7, 2026
c0rydoras Credited to c0rydoras
vm2 has a Sandbox Escape Vulnerability Critical
CVE-2026-44006 was published for vm2 (npm) May 7, 2026
c0rydoras Credited to c0rydoras
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver Critical
CVE-2026-44351 was published for fast-jwt (npm) May 6, 2026
bhaswanthc Credited to bhaswanthc and SociableSteve SociableSteve SociableSteve
Duplicate Advisory: OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation Critical
GHSA-m8wm-r5vq-qjpg was published for openclaw (npm) May 6, 2026 withdrawn
Duplicate Advisory: OpenClaw: Feishu webhook and card-action validation now fail closed Critical
GHSA-cjg8-85gj-v9q2 was published for openclaw (npm) May 6, 2026 withdrawn
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint Critical
CVE-2026-42281 was published for magicmirror (npm) May 5, 2026
Astaruf Credited to Astaruf
VM2 Has a WASM Sandbox Escape (Node 25 only) Critical
CVE-2026-26956 was published for vm2 (npm) May 5, 2026
0x5t Credited to 0x5t
VM2 Has a Sandbox Escape Issue via SuppressedError Critical
CVE-2026-26332 was published for vm2 (npm) May 5, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database