Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,193
Erlang
25
GitHub Actions
39
Go
2,385
Maven
3,027
npm
3,078
NuGet
529
pip
2,897
Pub
5
RubyGems
442
Rust
905
Swift
20
Unreviewed advisories
All unreviewed
5,000+

285 advisories

Loading
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations Moderate
GHSA-2cjr-5v3h-v2w4 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters High
GHSA-5fgg-jcpf-8jjw was published for i18next-http-middleware (npm) Apr 22, 2026
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback Moderate
CVE-2026-41238 was published for dompurify (npm) Apr 22, 2026
trace37labs Credited to trace37labs
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution Moderate
CVE-2026-5758 was published for protocol-buffers-schema (npm) Apr 15, 2026
Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an... Moderate Unreviewed
CVE-2026-34626 was published Apr 14, 2026
Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an... High Unreviewed
CVE-2026-34622 was published Apr 14, 2026
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly... Critical Unreviewed
CVE-2026-34621 was published Apr 11, 2026
LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()` Moderate
CVE-2026-40190 was published for langsmith (npm) Apr 10, 2026
OneThing4101 Credited to OneThing4101
@stablelib/cbor: Prototype poisoning via `__proto__` map keys in CBOR decoding High
GHSA-w48f-fwg7-ww6p was published for @stablelib/cbor (npm) Apr 4, 2026
Jvr2022 Credited to Jvr2022
defu: Prototype pollution via `__proto__` key in defaults argument High
CVE-2026-35209 was published for defu (npm) Apr 4, 2026
BlackHatExploitation Credited to BlackHatExploitation and kricsleo kricsleo kricsleo
DOMPurify USE_PROFILES prototype pollution allows event handlers Moderate
GHSA-cj63-jhhr-wcxv was published for dompurify (npm) Apr 3, 2026
christos-eth Credited to christos-eth
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` Moderate
CVE-2026-2950 was published for lodash (npm) Apr 1, 2026
Haruna38 Credited to Haruna38, shpik-kr, maru1009, ott3r07, zolbooo, backuardo, falsyvalues, jonchurch, jdalton, and UlisesGascon shpik-kr shpik-kr
maru1009 maru1009 ott3r07 ott3r07 zolbooo zolbooo backuardo backuardo falsyvalues falsyvalues jonchurch jonchurch jdalton jdalton UlisesGascon UlisesGascon
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')... Critical Unreviewed
CVE-2024-52441 was published Nov 20, 2024
MikroORM has Prototype Pollution in Utils.merge High
CVE-2026-34221 was published for @mikro-orm/core (npm) Mar 29, 2026
lukas-eu Credited to lukas-eu
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521 Moderate
CVE-2026-33994 was published for locutus (npm) Mar 27, 2026
gtsp233 Credited to gtsp233
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize() Moderate
CVE-2026-33993 was published for locutus (npm) Mar 27, 2026
offset Credited to offset
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry Moderate
GHSA-7rx3-28cr-v5wh was published for handlebars (npm) Mar 29, 2026
TinkAnet Credited to TinkAnet
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection Moderate
CVE-2026-33916 was published for handlebars (npm) Mar 26, 2026
ByamB4 Credited to ByamB4
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching Moderate
CVE-2026-33672 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4, danez, and doowb danez danez
doowb doowb
Convict has Prototype Pollution via startsWith() function Critical
CVE-2026-33864 was published for convict (npm) Mar 26, 2026
kevgeoleo Credited to kevgeoleo, vdata1, reallyTG, fkiriakos07, toufali, and clouserw vdata1 vdata1
reallyTG reallyTG fkiriakos07 fkiriakos07 toufali toufali clouserw clouserw
Convict has prototype pollution via load(), loadFile(), and schema initialization Critical
CVE-2026-33863 was published for convict (npm) Mar 26, 2026
toufali Credited to toufali and clouserw clouserw clouserw
n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE Critical
CVE-2026-33696 was published for n8n (npm) Mar 26, 2026
simonkoeck Credited to simonkoeck
Prototype Pollution via parse() in NodeJS flatted High
CVE-2026-33228 was published for flatted (npm) Mar 19, 2026
yohannslm Credited to yohannslm
Elysia Cookie Value Prototype Pollution Moderate
CVE-2026-31865 was published for elysia (npm) Mar 17, 2026
ebadfd Credited to ebadfd
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy Moderate
CVE-2026-32878 was published for parse-server (npm) Mar 17, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database