GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
4,503 advisories
StudioCMS has Authorization Bypass Through User-Controlled Key
Moderate
CVE-2026-24134
was published
for
studiocms
(npm)
Jan 27, 2026
SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor
Critical
CVE-2026-23830
was published
for
@nyariv/sandboxjs
(npm)
Jan 27, 2026
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
Moderate
CVE-2026-24473
was published
for
hono
(npm)
Jan 27, 2026
hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
Moderate
CVE-2026-24472
was published
for
hono
(npm)
Jan 27, 2026
Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
Moderate
CVE-2026-24398
was published
for
hono
(npm)
Jan 27, 2026
Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE
Critical
GHSA-cr3w-cw5w-h3fj
was published
for
@saltcorn/server
(npm)
Jan 26, 2026
pnpm has Path Traversal via arbitrary file permission modification
Moderate
CVE-2026-24131
was published
for
pnpm
(npm)
Jan 26, 2026
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
Moderate
CVE-2026-23888
was published
for
pnpm
(npm)
Jan 26, 2026
pnpm has Windows-specific tarball Path Traversal
Moderate
CVE-2026-23889
was published
for
pnpm
(npm)
Jan 26, 2026
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
Moderate
CVE-2026-23890
was published
for
pnpm
(npm)
Jan 26, 2026
pnpm has symlink traversal in file:/git dependencies
Moderate
CVE-2026-24056
was published
for
pnpm
(npm)
Jan 26, 2026
Orval Mock Generation Code Injection via const
High
CVE-2026-24132
was published
for
@orval/mock
(npm)
Jan 22, 2026
Seroval affected by Denial of Service via Deeply Nested Objects
High
CVE-2026-24006
was published
for
seroval
(npm)
Jan 22, 2026
Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass
High
CVE-2025-65098
was published
for
@typebot.io/js
(npm)
Jan 22, 2026
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
Moderate
CVE-2025-13465
was published
for
lodash
(npm)
Jan 21, 2026
Wrangler affected by OS Command Injection in `wrangler pages deploy`
High
CVE-2026-0933
was published
for
wrangler
(npm)
Jan 21, 2026
Seroval affected by Denial of Service via Array serialization
High
CVE-2026-23957
was published
for
seroval
(npm)
Jan 21, 2026
seroval affected by Denial of Service via RegExp serialization
High
CVE-2026-23956
was published
for
seroval
(npm)
Jan 21, 2026
@envelop/graphql-modules has a Race Condition vulnerability
High
GHSA-h3hw-29fv-2x75
was published
for
@envelop/graphql-modules
(npm)
Jan 21, 2026
ProTip!
Advisories are also available from the
GraphQL API