Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,193
Erlang
25
GitHub Actions
39
Go
2,385
Maven
3,027
npm
3,078
NuGet
529
pip
2,897
Pub
5
RubyGems
442
Rust
905
Swift
20
Unreviewed advisories
All unreviewed
5,000+

3,078 advisories

Loading
Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write High
GHSA-r466-rxw4-3j9j was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution Critical
GHSA-j5w5-568x-rq53 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations Moderate
GHSA-2cjr-5v3h-v2w4 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided Moderate
GHSA-w5hq-g745-h8pq was published for uuid (npm) Apr 22, 2026
0xStraw-Hat Credited to 0xStraw-Hat
MCPHub has Path Traversal via Malicious MCPB Manifest Name High
GHSA-p3h2-2j4p-p83g was published for @samanhappy/mcphub (npm) Apr 22, 2026
keyblues Credited to keyblues
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor High
GHSA-w937-fg2h-xhq2 was published for locize (npm) Apr 22, 2026
i18next-locize-backend has URL Injection via Unsanitized Path Parameters Moderate
GHSA-mgcp-mfp8-3q45 was published for i18next-locize-backend (npm) Apr 22, 2026
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header High
CVE-2026-41683 was published for i18next-http-middleware (npm) Apr 22, 2026
xmldom: Uncontrolled recursion in XML serialization leads to DoS High
CVE-2026-41673 was published for @xmldom/xmldom (npm) Apr 22, 2026
Jvr2022 Credited to Jvr2022, praveen-kv, and KarimTantawey praveen-kv praveen-kv
KarimTantawey KarimTantawey
xmldom has XML injection through unvalidated DocumentType serialization High
CVE-2026-41674 was published for @xmldom/xmldom (npm) Apr 22, 2026
TharVid Credited to TharVid
xmldom has XML node injection through unvalidated processing instruction serialization High
CVE-2026-41675 was published for @xmldom/xmldom (npm) Apr 22, 2026
tlsbollei Credited to tlsbollei and TharVid TharVid TharVid
xmldom has XML node injection through unvalidated comment serialization High
CVE-2026-41672 was published for @xmldom/xmldom (npm) Apr 22, 2026
Jvr2022 Credited to Jvr2022 and TharVid TharVid TharVid
@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading High
CVE-2026-41640 was published for @nocobase/database (npm) Apr 22, 2026
p80n-sec Credited to p80n-sec
@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call High
CVE-2026-41641 was published for @nocobase/plugin-collection-sql (npm) Apr 22, 2026
p80n-sec Credited to p80n-sec
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters Moderate
CVE-2026-41650 was published for fast-xml-parser (npm) Apr 22, 2026
TharVid Credited to TharVid
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping Moderate
CVE-2026-41591 was published for @marko/runtime-tags (npm) Apr 22, 2026
k0w4lzk1 Credited to k0w4lzk1
i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite High
GHSA-8847-338w-5hcj was published for i18next-fs-backend (npm) Apr 22, 2026
i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes Moderate
GHSA-6457-mxpq-4fqq was published for i18nextify (npm) Apr 22, 2026
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns Moderate
GHSA-q89c-q3h5-w34g was published for i18next-http-backend (npm) Apr 22, 2026
i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters High
GHSA-5fgg-jcpf-8jjw was published for i18next-http-middleware (npm) Apr 22, 2026
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) Moderate
CVE-2026-41240 was published for dompurify (npm) Apr 22, 2026
kodareef5 Credited to kodareef5
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode Moderate
CVE-2026-41239 was published for dompurify (npm) Apr 22, 2026
bencalif Credited to bencalif
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback Moderate
CVE-2026-41238 was published for dompurify (npm) Apr 22, 2026
trace37labs Credited to trace37labs
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection High
GHSA-2r2p-4cgf-hv7h was published for engramx (npm) Apr 22, 2026
@saltcorn/data: Tenant user role is used for tenant creation role check High
GHSA-9237-rg5p-rhfw was published for @saltcorn/data (npm) Apr 22, 2026
j2l Credited to j2l
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database