Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,051
Maven
5,000+
npm
4,793
NuGet
825
pip
4,389
Pub
12
RubyGems
988
Rust
1,145
Swift
50
Unreviewed advisories
All unreviewed
5,000+

17 advisories

Loading
Multer vulnerable to Denial of Service via incomplete cleanup High
CVE-2026-3304 was published for multer (npm) Mar 1, 2026
EthanKim88 Credited to EthanKim88, ctcpip, UlisesGascon, and bjohansebas ctcpip ctcpip
UlisesGascon UlisesGascon bjohansebas bjohansebas
Multer vulnerable to Denial of Service via resource exhaustion High
CVE-2026-2359 was published for multer (npm) Mar 1, 2026
ctcpip Credited to ctcpip, nawin23, UlisesGascon, sheplu, and bjohansebas nawin23 nawin23
UlisesGascon UlisesGascon sheplu sheplu bjohansebas bjohansebas
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware High
CVE-2026-2880 was published for @fastify/middie (npm) Feb 28, 2026
tachote Credited to tachote, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions Moderate
CVE-2025-13465 was published for lodash (npm) Jan 21, 2026
lukas-eu Credited to lukas-eu, ljharb, UlisesGascon, falsyvalues, and jdalton ljharb ljharb
UlisesGascon UlisesGascon falsyvalues falsyvalues jdalton jdalton
Withdrawn Advisory: express improperly controls modification of query properties Low
CVE-2024-51999 was published for express (npm) Dec 1, 2025 withdrawn
ctcpip Credited to ctcpip, wesleytodd, jonchurch, bjohansebas, and UlisesGascon wesleytodd wesleytodd
jonchurch jonchurch bjohansebas bjohansebas UlisesGascon UlisesGascon
body-parser is vulnerable to denial of service when url encoding is used Moderate
CVE-2025-13466 was published for body-parser (npm) Nov 25, 2025
Phillip9587 Credited to Phillip9587, bjohansebas, UlisesGascon, ctcpip, sheplu, and jonchurch bjohansebas bjohansebas
UlisesGascon UlisesGascon ctcpip ctcpip sheplu sheplu jonchurch jonchurch
on-headers is vulnerable to http response header manipulation Low
CVE-2025-7339 was published for on-headers (npm) Jul 17, 2025
ctcpip Credited to ctcpip, jonchurch, SPodjasek, UlisesGascon, sheplu, and Zen-cronic jonchurch jonchurch
SPodjasek SPodjasek UlisesGascon UlisesGascon sheplu sheplu Zen-cronic Zen-cronic
Multer vulnerable to Denial of Service via unhandled exception from malformed request High
CVE-2025-7338 was published for multer (npm) Jul 17, 2025
ctcpip Credited to ctcpip, UlisesGascon, and LinusU UlisesGascon UlisesGascon
LinusU LinusU
Multer vulnerable to Denial of Service via unhandled exception High
CVE-2025-48997 was published for multer (npm) Jun 5, 2025
bjohansebas Credited to bjohansebas, ctcpip, Markiz9999, UlisesGascon, wesleytodd, and LinusU ctcpip ctcpip
Markiz9999 Markiz9999 UlisesGascon UlisesGascon wesleytodd wesleytodd LinusU LinusU
Multer vulnerable to Denial of Service from maliciously crafted requests High
CVE-2025-47944 was published for multer (npm) May 19, 2025
max-mathieu Credited to max-mathieu, wesleytodd, ctcpip, UlisesGascon, marco-ippolito, and jonchurch wesleytodd wesleytodd
ctcpip ctcpip UlisesGascon UlisesGascon marco-ippolito marco-ippolito jonchurch jonchurch
Multer vulnerable to Denial of Service via memory leaks from unclosed streams High
CVE-2025-47935 was published for multer (npm) May 19, 2025
ctcpip Credited to ctcpip, UlisesGascon, and UnlimitedBytes UlisesGascon UlisesGascon
UnlimitedBytes UnlimitedBytes
basic-auth-connect's callback uses time unsafe string comparison High
CVE-2024-47178 was published for basic-auth-connect (npm) Sep 30, 2024
UlisesGascon Credited to UlisesGascon, ctcpip, AdamKorcz, and blakeembrey ctcpip ctcpip
AdamKorcz AdamKorcz blakeembrey blakeembrey
send vulnerable to template injection that can lead to XSS Low
CVE-2024-43799 was published for send (npm) Sep 10, 2024
AdamKorcz Credited to AdamKorcz, UlisesGascon, ctcpip, and wesleytodd UlisesGascon UlisesGascon
ctcpip ctcpip wesleytodd wesleytodd
serve-static vulnerable to template injection that can lead to XSS Low
CVE-2024-43800 was published for serve-static (npm) Sep 10, 2024
AdamKorcz Credited to AdamKorcz, UlisesGascon, ctcpip, and wesleytodd UlisesGascon UlisesGascon
ctcpip ctcpip wesleytodd wesleytodd
express vulnerable to XSS via response.redirect() Low
CVE-2024-43796 was published for express (npm) Sep 10, 2024
AdamKorcz Credited to AdamKorcz, UlisesGascon, ctcpip, and wesleytodd UlisesGascon UlisesGascon
ctcpip ctcpip wesleytodd wesleytodd
body-parser vulnerable to denial of service when url encoding is enabled High
CVE-2024-45590 was published for body-parser (npm) Sep 10, 2024
AdamKorcz Credited to AdamKorcz, UlisesGascon, ctcpip, and wesleytodd UlisesGascon UlisesGascon
ctcpip ctcpip wesleytodd wesleytodd
Express.js Open Redirect in malformed URLs Moderate
CVE-2024-29041 was published for express (npm) Mar 25, 2024
FDrag0n Credited to FDrag0n, jonchurch, blakeembrey, wesleytodd, ruddermann, ctcpip, and UlisesGascon jonchurch jonchurch
blakeembrey blakeembrey wesleytodd wesleytodd ruddermann ruddermann ctcpip ctcpip UlisesGascon UlisesGascon
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database