Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

14 advisories

Loading
eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields Moderate
CVE-2026-44214 was published for eventsource-encoder (npm) May 8, 2026
sse-channel: SSE Injection via unsanitized event fields Moderate
CVE-2026-44217 was published for sse-channel (npm) May 5, 2026
SnailSploit Credited to SnailSploit
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream Moderate
CVE-2026-42037 was published for axios (npm) May 5, 2026
kobi-s Credited to kobi-s
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands High
GHSA-6v7q-wjvx-w8wg was published for basic-ftp (npm) Apr 10, 2026
offset Credited to offset
basic-ftp has FTP Command Injection via CRLF High
CVE-2026-39983 was published for basic-ftp (npm) Apr 8, 2026
zebbern Credited to zebbern
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) Moderate
GHSA-vvjj-xcjg-gr5g was published for nodemailer (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter Low
GHSA-c7w3-x93f-qmm8 was published for nodemailer (npm) Mar 26, 2026
esquilichi Credited to esquilichi
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields High
CVE-2026-33128 was published for h3 (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
Undici has CRLF Injection in undici via `upgrade` option Moderate
CVE-2026-1527 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
CRLF Injection in Nodejs ‘undici’ via host Moderate
CVE-2023-23936 was published for undici (npm) Feb 16, 2023
Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type Moderate
CVE-2022-35948 was published for undici (npm) Aug 18, 2022
happyhacking-k Credited to happyhacking-k
undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect Low
CVE-2022-31151 was published for undici (npm) Jul 21, 2022
Haxatron Credited to Haxatron
undici before v5.8.0 vulnerable to CRLF injection in request headers Moderate
CVE-2022-31150 was published for undici (npm) Jul 21, 2022
Haxatron Credited to Haxatron
Improper handling of multiline messages in node-irc High
GHSA-52rh-5rpj-c3w6 was published for matrix-org-irc (npm) May 5, 2022
kurt-r2c Credited to kurt-r2c and sunnypatell sunnypatell sunnypatell
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database