GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
13 advisories
Filter by severity
9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
Critical
CVE-2026-55500
was published
for
9router
(npm)
Jul 6, 2026
Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups
Moderate
GHSA-6x2m-p4xp-wg22
was published
for
network-ai
(npm)
Jun 19, 2026
Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory
Moderate
GHSA-jvcm-f35g-w78p
was published
for
network-ai
(npm)
Jun 19, 2026
Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning
High
GHSA-2fmp-9rvw-hc96
was published
for
network-ai
(npm)
Jun 19, 2026
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
High
CVE-2026-55660
was published
for
@tinacms/app
(npm)
Jun 19, 2026
OpenZeppelin Contracts Wizard: Line terminators in info.securityContact / info.license can inject lines into generated source
Low
GHSA-9wxg-vf3r-56hc
was published
for
@openzeppelin/wizard
(npm)
Jun 19, 2026
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool
Critical
GHSA-p69m-4f92-2v84
was published
for
praisonai
(npm)
Jun 18, 2026
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
Moderate
CVE-2026-48125
was published
for
ua-parser-js
(npm)
Jun 15, 2026
protobufjs: Memory amplification from preserved unknown fields in binary decode
Moderate
CVE-2026-54270
was published
for
protobufjs
(npm)
Jun 15, 2026
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection
Moderate
GHSA-268h-hp4c-crq3
was published
for
nodemailer
(npm)
Jun 15, 2026
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization
Moderate
GHSA-wqvq-jvpq-h66f
was published
for
nodemailer
(npm)
Jun 15, 2026
Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY
High
GHSA-gv7w-rqvm-qjhr
was published
for
esbuild
(npm)
Jun 12, 2026
•
withdrawn
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
Critical
CVE-2026-46339
was published
for
9router
(npm)
May 19, 2026
ProTip!
Advisories are also available from the
GraphQL API