Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

59 advisories

Loading
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user Moderate
CVE-2026-5078 was published for morgan (npm) Jul 10, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, UlisesGascon, and jonchurch UlisesGascon UlisesGascon
jonchurch jonchurch
UlisesGascon Credited to UlisesGascon, KhafraDev, and mcollina KhafraDev KhafraDev
mcollina mcollina
undici WebSocket client vulnerable to denial of service via fragment count bypass High
CVE-2026-12151 was published for undici (npm) Jun 19, 2026
lpinca Credited to lpinca, Nadav0077, and UlisesGascon Nadav0077 Nadav0077
UlisesGascon UlisesGascon
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding Moderate
CVE-2026-9679 was published for undici (npm) Jun 19, 2026
tndud042713 Credited to tndud042713, mcollina, KhafraDev, and UlisesGascon mcollina mcollina
KhafraDev KhafraDev UlisesGascon UlisesGascon
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse High
CVE-2026-6734 was published for undici (npm) Jun 19, 2026
ChALkeR Credited to ChALkeR, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse Low
CVE-2026-6733 was published for undici (npm) Jun 19, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
tonghuaroot Credited to tonghuaroot and UlisesGascon UlisesGascon UlisesGascon
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass Moderate
CVE-2026-9678 was published for undici (npm) Jun 18, 2026
AndrewMohawk Credited to AndrewMohawk, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass High
CVE-2026-9675 was published for undici (npm) Jun 18, 2026
mauriceng98 Credited to mauriceng98, Str1ckl4nd, mcollina, and UlisesGascon Str1ckl4nd Str1ckl4nd
mcollina mcollina UlisesGascon UlisesGascon
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies Moderate
CVE-2026-9595 was published for webpack-dev-server (npm) Jun 17, 2026
bjohansebas Credited to bjohansebas and UlisesGascon UlisesGascon UlisesGascon
Multer vulnerable to Denial of Service via deeply nested field names High
CVE-2026-5079 was published for multer (npm) Jun 17, 2026
tndud042713 Credited to tndud042713, UlisesGascon, and bjohansebas UlisesGascon UlisesGascon
bjohansebas bjohansebas
Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads Moderate
CVE-2026-5038 was published for multer (npm) Jun 17, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, HamdaanAliQuatil, fasrm, UlisesGascon, bjohansebas, 0xStraw-Hat, bhaswanthc, ByamB4, sbouabid-sec, DavidCarliez, and JebeenLee HamdaanAliQuatil HamdaanAliQuatil
fasrm fasrm UlisesGascon UlisesGascon bjohansebas bjohansebas 0xStraw-Hat 0xStraw-Hat bhaswanthc bhaswanthc ByamB4 ByamB4 sbouabid-sec sbouabid-sec DavidCarliez DavidCarliez JebeenLee JebeenLee
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation High
CVE-2026-42089 was published for yeoman-environment (npm) May 26, 2026
mshima Credited to mshima, UlisesGascon, and 0xmrma UlisesGascon UlisesGascon
0xmrma 0xmrma
multiparty vulnerable to ReDoS via filename parsing High
CVE-2026-8159 was published for multiparty (npm) May 18, 2026
aszx87410 Credited to aszx87410, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing High
CVE-2026-8162 was published for multiparty (npm) May 18, 2026
ByamB4 Credited to ByamB4, bjohansebas, blakeembrey, and UlisesGascon bjohansebas bjohansebas
blakeembrey blakeembrey UlisesGascon UlisesGascon
multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception High
CVE-2026-8161 was published for multiparty (npm) May 18, 2026
Ser0n-ath Credited to Ser0n-ath, bjohansebas, kq5y, ByamB4, blakeembrey, ljharb, and UlisesGascon bjohansebas bjohansebas
kq5y kq5y ByamB4 ByamB4 blakeembrey blakeembrey ljharb ljharb UlisesGascon UlisesGascon
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins Moderate
CVE-2026-6402 was published for webpack-dev-server (npm) May 18, 2026
sapphi-red Credited to sapphi-red, UlisesGascon, bjohansebas, and alexander-akait UlisesGascon UlisesGascon
bjohansebas bjohansebas alexander-akait alexander-akait
fast-uri vulnerable to host confusion via percent-encoded authority delimiters High
CVE-2026-6322 was published for fast-uri (npm) May 8, 2026
Jvr2022 Credited to Jvr2022, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
fast-uri vulnerable to path traversal via percent-encoded dot segments High
CVE-2026-6321 was published for fast-uri (npm) May 8, 2026
Jvr2022 Credited to Jvr2022, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth High
CVE-2026-7768 was published for @fastify/accepts-serializer (npm) May 8, 2026
yuki-matsuhashi Credited to yuki-matsuhashi and UlisesGascon UlisesGascon UlisesGascon
@fastify/static vulnerable to path traversal in directory listing Moderate
CVE-2026-6410 was published for @fastify/static (npm) Apr 16, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/static vulnerable to route guard bypass via encoded path separators Moderate
CVE-2026-6414 was published for @fastify/static (npm) Apr 16, 2026
blakeembrey Credited to blakeembrey, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes Critical
CVE-2026-6270 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, climba03003, and UlisesGascon climba03003 climba03003
UlisesGascon UlisesGascon
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option High
CVE-2026-33804 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, climba03003, and UlisesGascon mcollina mcollina
climba03003 climba03003 UlisesGascon UlisesGascon
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
ProTip! Advisories are also available from the GraphQL API