Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

53 advisories

Loading
Svelte devalue: DoS via sparse array deserialization High
CVE-2026-42570 was published for devalue (npm) May 14, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, dummdidumm, and kq5y dummdidumm dummdidumm
kq5y kq5y
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components High
CVE-2026-44579 was published for next (npm) May 11, 2026
@vitejs/plugin-rsc has a Denial of Service Vulnerability in React Server Components High
GHSA-w94c-4vhp-22gx was published for @vitejs/plugin-rsc (npm) May 11, 2026
Next.js Vulnerable to Denial of Service with Server Components High
GHSA-8h8q-6873-q5fj was published for next (npm) May 11, 2026
Facebook React has a Denial of Service Vulnerability in React Server Components High
CVE-2026-23870 was published for react-server-dom-parcel (npm) May 11, 2026
@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth High
CVE-2026-7768 was published for @fastify/accepts-serializer (npm) May 8, 2026
yuki-matsuhashi Credited to yuki-matsuhashi and UlisesGascon UlisesGascon UlisesGascon
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion High
CVE-2026-44004 was published for vm2 (npm) May 7, 2026
koDove Credited to koDove
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering High
CVE-2026-44240 was published for basic-ftp (npm) May 6, 2026
thesmartshadow Credited to thesmartshadow
n8n Vulnerable to Unauthenticated Denial of Service via MCP Client Registration High
CVE-2026-42236 was published for n8n (npm) Apr 29, 2026
ori-ron Credited to ori-ron
OpenClaw: Voice-call realtime WebSocket accepted oversized frames High
CVE-2026-42437 was published for openclaw (npm) Apr 17, 2026
G0odUser Credited to G0odUser
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() High
CVE-2026-41324 was published for basic-ftp (npm) Apr 16, 2026
MaanVader Credited to MaanVader
MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport High
CVE-2026-39313 was published for mcp-framework (npm) Apr 16, 2026
razashariff Credited to razashariff
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport) High
CVE-2026-40879 was published for @nestjs/microservices (npm) Apr 14, 2026
hwpark6804-gif Credited to hwpark6804-gif and kamilmysliwiec kamilmysliwiec kamilmysliwiec
@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass High
CVE-2026-40073 was published for @sveltejs/kit (npm) Apr 10, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and KarimPwnz KarimPwnz KarimPwnz
Next.js has a Denial of Service with Server Components High
GHSA-q4gf-8mx6-v5v3 was published for next (npm) Apr 10, 2026
Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution High
CVE-2026-34148 was published for @fedify/fedify (npm) Apr 7, 2026
wrathsec Credited to wrathsec
Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver High
GHSA-6q22-g298-grjh was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Duplicate Advisory: OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion High
GHSA-c447-w54g-f55j was published for openclaw (npm) Mar 29, 2026 withdrawn
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure High
CVE-2026-35633 was published for openclaw (npm) Mar 26, 2026
Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels High
GHSA-xq3g-m3j8-2vmm was published for openclaw (npm) Mar 21, 2026 withdrawn
OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion High
CVE-2026-32980 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
Uncontrolled memory allocation via crafted SVG dimensions in @dicebear/converter High
CVE-2026-29112 was published for @dicebear/converter (npm) Mar 16, 2026
maru1009 Credited to maru1009
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API High
CVE-2026-30946 was published for parse-server (npm) Mar 11, 2026
mtrezza Credited to mtrezza
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network High
CVE-2026-30827 was published for express-rate-limit (npm) Mar 6, 2026
TinkAnet Credited to TinkAnet
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack High
CVE-2026-27601 was published for underscore (npm) Mar 3, 2026
ByamB4 Credited to ByamB4 and jgonggrijp jgonggrijp jgonggrijp
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database