GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,340
Maven
5,000+
npm
5,000+
NuGet
1,033
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,498
Swift
61
Unreviewed advisories
All unreviewed
5,000+
59 advisories
Filter by severity
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Moderate
CVE-2026-5078
was published
for
morgan
(npm)
Jul 10, 2026
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
Low
CVE-2026-11525
was published
for
undici
(npm)
Jun 19, 2026
undici WebSocket client vulnerable to denial of service via fragment count bypass
High
CVE-2026-12151
was published
for
undici
(npm)
Jun 19, 2026
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Moderate
CVE-2026-9679
was published
for
undici
(npm)
Jun 19, 2026
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
High
CVE-2026-6734
was published
for
undici
(npm)
Jun 19, 2026
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Low
CVE-2026-6733
was published
for
undici
(npm)
Jun 19, 2026
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
High
CVE-2026-9697
was published
for
undici
(npm)
Jun 18, 2026
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Moderate
CVE-2026-9678
was published
for
undici
(npm)
Jun 18, 2026
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
High
CVE-2026-9675
was published
for
undici
(npm)
Jun 18, 2026
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Moderate
CVE-2026-9595
was published
for
webpack-dev-server
(npm)
Jun 17, 2026
Multer vulnerable to Denial of Service via deeply nested field names
High
CVE-2026-5079
was published
for
multer
(npm)
Jun 17, 2026
Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
Moderate
CVE-2026-5038
was published
for
multer
(npm)
Jun 17, 2026
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
High
CVE-2026-42089
was published
for
yeoman-environment
(npm)
May 26, 2026
multiparty vulnerable to ReDoS via filename parsing
High
CVE-2026-8159
was published
for
multiparty
(npm)
May 18, 2026
multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
High
CVE-2026-8162
was published
for
multiparty
(npm)
May 18, 2026
multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception
High
CVE-2026-8161
was published
for
multiparty
(npm)
May 18, 2026
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
Moderate
CVE-2026-6402
was published
for
webpack-dev-server
(npm)
May 18, 2026
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
High
CVE-2026-6322
was published
for
fast-uri
(npm)
May 8, 2026
fast-uri vulnerable to path traversal via percent-encoded dot segments
High
CVE-2026-6321
was published
for
fast-uri
(npm)
May 8, 2026
@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth
High
CVE-2026-7768
was published
for
@fastify/accepts-serializer
(npm)
May 8, 2026
@fastify/static vulnerable to path traversal in directory listing
Moderate
CVE-2026-6410
was published
for
@fastify/static
(npm)
Apr 16, 2026
@fastify/static vulnerable to route guard bypass via encoded path separators
Moderate
CVE-2026-6414
was published
for
@fastify/static
(npm)
Apr 16, 2026
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
Critical
CVE-2026-6270
was published
for
@fastify/middie
(npm)
Apr 16, 2026
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
High
CVE-2026-33804
was published
for
@fastify/middie
(npm)
Apr 16, 2026
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Critical
CVE-2026-33808
was published
for
@fastify/express
(npm)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API