Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,077
Erlang
29
GitHub Actions
19
Go
1,902
Maven
5,000+
npm
3,631
NuGet
638
pip
3,246
Pub
10
RubyGems
863
Rust
818
Swift
35
Unreviewed advisories
All unreviewed
5,000+

35 advisories

Loading
Prototype Pollution in lodash Critical
CVE-2019-10744 was published for lodash (npm) Jul 10, 2019
Insufficient validation when decoding a Socket.IO packet Critical
CVE-2022-2421 was published for socket.io-parser (npm) Oct 26, 2022
darrachequesne kurt-r2c
Server crashes on invalid Cloud Function or Cloud Job name Critical
CVE-2024-29027 was published for parse-server (npm) Mar 19, 2024
mtrezza EhsanParsania
Improper Input Validation in Automattic Mongoose Critical
CVE-2019-17426 was published for mongoose (npm) Oct 22, 2019
wyardley
Arbitrary Code Execution in eslint-utils Critical
CVE-2019-15657 was published for eslint-utils (npm) Aug 26, 2019
Prototype Pollution in deep-extend Critical
CVE-2018-3750 was published for deep-extend (npm) Oct 9, 2018
SES's dynamic import and spread operator provides possible path to arbitrary exfiltration and execution Critical
CVE-2023-39532 was published for ses (npm) Aug 9, 2023
corrideat
Etherpad Lite Access Restriction Bypass Critical
CVE-2018-6835 was published for ep_etherpad-lite (npm) May 13, 2022
Remote code execution in mongo-express Critical
CVE-2020-24391 was published for mongodb-query-parser (npm) Apr 13, 2021
Prototype Pollution in merge-recursive Critical
CVE-2018-3751 was published for merge-recursive (npm) Sep 18, 2018
ejs is vulnerable to remote code execution due to weak input validation Critical
CVE-2017-1000228 was published for ejs (npm) Nov 30, 2017
isolated-vm has vulnerable CachedDataOptions in API Critical
CVE-2022-39266 was published for isolated-vm (npm) Sep 30, 2022
hedgehog80
Nuclide Improper Input Validation Critical
CVE-2018-6333 was published for nuclide (npm) May 13, 2022
HashBrown CMS RCE Critical
CVE-2020-6948 was published for hashbrown-cms (npm) May 24, 2022
xmldom allows multiple root nodes in a DOM Critical
CVE-2022-39353 was published for @xmldom/xmldom (npm) Nov 1, 2022
frumioj karfau
kurt-r2c
Arbitrary Command Injection Critical
CVE-2021-23399 was published for wincred (npm) Jun 29, 2021
Validation bypass in jpv Critical
CVE-2020-17479 was published for jpv (npm) May 6, 2021
Improper parsing of octal bytes in netmask Critical
CVE-2021-28918 was published for netmask (npm) Apr 14, 2021
Improper Input Validation in network-manager Critical
CVE-2019-10786 was published for network-manager (npm) Apr 13, 2021
Prefix escape Critical
CVE-2021-21321 was published for fastify-reply-from (npm) Mar 3, 2021
Sandbox Breakout / Arbitrary Code Execution in safer-eval Critical
CVE-2019-10769 was published for safer-eval (npm) Dec 11, 2019
Command Injection in npm-programmatic Critical
CVE-2020-7614 was published for npm-programmatic (npm) Apr 23, 2020
linux-cmdline is vulnerable to Prototype Pollution via the constructor Critical
CVE-2020-7704 was published for linux-cmdline (npm) May 24, 2022
NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails Critical
CVE-2022-35924 was published for next-auth (npm) Aug 2, 2022
aried3r feross
Prototype Pollution in locutus Critical
CVE-2020-7719 was published for locutus (npm) May 6, 2021
ProTip! Advisories are also available from the GraphQL API