Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,051
Maven
5,000+
npm
4,793
NuGet
825
pip
4,389
Pub
12
RubyGems
988
Rust
1,145
Swift
50
Unreviewed advisories
All unreviewed
5,000+

25 advisories

Loading
OS Command injection in npm-lockfile Critical
CVE-2022-0841 was published for npm-lockfile (npm) Mar 4, 2022
ljharb Credited to ljharb
Prototype Pollution in minimist Critical
CVE-2021-44906 was published for minimist (npm) Mar 18, 2022
alopix Credited to alopix and ljharb ljharb ljharb
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack High
CVE-2023-46234 was published for browserify-sign (npm) Oct 26, 2023
roadicing Credited to roadicing, ljharb, and katzj ljharb ljharb
katzj katzj
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos Critical
CVE-2025-6545 was published for pbkdf2 (npm) Jun 23, 2025
ChALkeR Credited to ChALkeR and ljharb ljharb ljharb
form-data uses unsafe random function in form-data for choosing boundary Critical
CVE-2025-7783 was published for form-data (npm) Jul 21, 2025
benweissmann Credited to benweissmann and ljharb ljharb ljharb
cipher-base is missing type checks, leading to hash rewind and passing on crafted data Critical
CVE-2025-9287 was published for cipher-base (npm) Aug 21, 2025
ChALkeR Credited to ChALkeR and ljharb ljharb ljharb
Regular Expression Denial of Service (ReDoS) in braces Low
CVE-2018-1109 was published for braces (npm) Jan 6, 2022
ljharb Credited to ljharb
Command injection in node-dns-sync High
CVE-2020-11079 was published for dns-sync (npm) May 28, 2020
ljharb Credited to ljharb
Axios is vulnerable to DoS attack through lack of data size check High
CVE-2025-58754 was published for axios (npm) Sep 11, 2025
AmeerAssadi Credited to AmeerAssadi, FeBe95, and ljharb FeBe95 FeBe95
ljharb ljharb
Cross-Site Scripting in backbone Moderate
CVE-2016-10537 was published for backbone (npm) Feb 18, 2019
ljharb Credited to ljharb
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions Moderate
CVE-2025-13465 was published for lodash (npm) Jan 21, 2026
lukas-eu Credited to lukas-eu, ljharb, UlisesGascon, falsyvalues, and jdalton ljharb ljharb
UlisesGascon UlisesGascon falsyvalues falsyvalues jdalton jdalton
Prototype Pollution in extend Moderate
CVE-2018-16492 was published for extend (npm) Feb 7, 2019
ljharb Credited to ljharb
Open Redirect in url-parse Critical
CVE-2018-3774 was published for url-parse (npm) Aug 13, 2018
ljharb Credited to ljharb
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. Moderate
CVE-2022-0691 was published for url-parse (npm) Feb 22, 2022
jhutchings1 Credited to jhutchings1, Kenny2github, y-yagi, Haxatron, and ljharb Kenny2github Kenny2github
y-yagi y-yagi Haxatron Haxatron ljharb ljharb
Path traversal in url-parse Moderate
CVE-2021-27515 was published for url-parse (npm) May 6, 2021
ljharb Credited to ljharb
Open redirect in url-parse Moderate
CVE-2021-3664 was published for url-parse (npm) Aug 10, 2021
ljharb Credited to ljharb
Improper Validation and Sanitization in url-parse Moderate
CVE-2020-8124 was published for url-parse (npm) Jan 6, 2022
ljharb Credited to ljharb
semver vulnerable to Regular Expression Denial of Service High
CVE-2022-25883 was published for semver (npm) Jun 21, 2023
mrgrain Credited to mrgrain, G-Rath, and ljharb G-Rath G-Rath
ljharb ljharb
Mongoose search injection vulnerability High
CVE-2024-53900 was published for mongoose (npm) Dec 2, 2024
balles Credited to balles, skrtheboss, and ljharb skrtheboss skrtheboss
ljharb ljharb
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion High
CVE-2025-15284 was published for qs (npm) Dec 30, 2025
samipmainali Credited to samipmainali and ljharb ljharb ljharb
qs's arrayLimit bypass in comma parsing allows denial of service Low
CVE-2026-2391 was published for qs (npm) Feb 12, 2026
SharokhAtaie Credited to SharokhAtaie and ljharb ljharb ljharb
pbkdf2 silently disregards Uint8Array input, returning static keys Critical
CVE-2025-6547 was published for pbkdf2 (npm) Jun 23, 2025
ChALkeR Credited to ChALkeR and ljharb ljharb ljharb
Authorization bypass in url-parse Moderate
CVE-2022-0512 was published for url-parse (npm) Feb 15, 2022
ljharb Credited to ljharb
url-parse Incorrectly parses URLs that include an '@' Moderate
CVE-2022-0639 was published for url-parse (npm) Feb 18, 2022
Haxatron Credited to Haxatron and ljharb ljharb ljharb
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern High
CVE-2026-26996 was published for minimatch (npm) Feb 18, 2026
AkshayJainG Credited to AkshayJainG, ljharb, G-Rath, thomas-schlein, isaacs, and SamanthaPersico ljharb ljharb
G-Rath G-Rath thomas-schlein thomas-schlein isaacs isaacs SamanthaPersico SamanthaPersico
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database