Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,272
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,521
Pub
12
RubyGems
1,007
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

25 advisories

Loading
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression High
CVE-2026-1526 was published for undici (npm) Mar 13, 2026
HO-9 Credited to HO-9, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation High
CVE-2026-2229 was published for undici (npm) Mar 13, 2026
aisle-research Credited to aisle-research, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici has CRLF Injection in undici via `upgrade` option Moderate
CVE-2026-1527 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS Moderate
CVE-2026-2581 was published for undici (npm) Mar 13, 2026
jackhax Credited to jackhax, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client High
CVE-2026-1528 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
Undici has an HTTP Request/Response Smuggling issue Moderate
CVE-2026-1525 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation Moderate
CVE-2026-3419 was published for fastify (npm) Mar 5, 2026
TarPeg007 Credited to TarPeg007, jsumners, mcollina, and UlisesGascon jsumners jsumners
mcollina mcollina UlisesGascon UlisesGascon
Multer Vulnerable to Denial of Service via Uncontrolled Recursion High
CVE-2026-3520 was published for multer (npm) Mar 5, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, ctcpip, and UlisesGascon ctcpip ctcpip
UlisesGascon UlisesGascon
Multer vulnerable to Denial of Service via incomplete cleanup High
CVE-2026-3304 was published for multer (npm) Mar 1, 2026
EthanKim88 Credited to EthanKim88, ctcpip, UlisesGascon, and bjohansebas ctcpip ctcpip
UlisesGascon UlisesGascon bjohansebas bjohansebas
Multer vulnerable to Denial of Service via resource exhaustion High
CVE-2026-2359 was published for multer (npm) Mar 1, 2026
ctcpip Credited to ctcpip, nawin23, UlisesGascon, sheplu, and bjohansebas nawin23 nawin23
UlisesGascon UlisesGascon sheplu sheplu bjohansebas bjohansebas
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware High
CVE-2026-2880 was published for @fastify/middie (npm) Feb 28, 2026
tachote Credited to tachote, mcollina, UlisesGascon, and Eomm mcollina mcollina
UlisesGascon UlisesGascon Eomm Eomm
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions Moderate
CVE-2025-13465 was published for lodash (npm) Jan 21, 2026
lukas-eu Credited to lukas-eu, ljharb, UlisesGascon, falsyvalues, and jdalton ljharb ljharb
UlisesGascon UlisesGascon falsyvalues falsyvalues jdalton jdalton
Withdrawn Advisory: express improperly controls modification of query properties Low
CVE-2024-51999 was published for express (npm) Dec 1, 2025 withdrawn
ctcpip Credited to ctcpip, wesleytodd, jonchurch, bjohansebas, and UlisesGascon wesleytodd wesleytodd
jonchurch jonchurch bjohansebas bjohansebas UlisesGascon UlisesGascon
body-parser is vulnerable to denial of service when url encoding is used Moderate
CVE-2025-13466 was published for body-parser (npm) Nov 25, 2025
Phillip9587 Credited to Phillip9587, bjohansebas, UlisesGascon, ctcpip, sheplu, and jonchurch bjohansebas bjohansebas
UlisesGascon UlisesGascon ctcpip ctcpip sheplu sheplu jonchurch jonchurch
on-headers is vulnerable to http response header manipulation Low
CVE-2025-7339 was published for on-headers (npm) Jul 17, 2025
ctcpip Credited to ctcpip, jonchurch, SPodjasek, UlisesGascon, sheplu, and Zen-cronic jonchurch jonchurch
SPodjasek SPodjasek UlisesGascon UlisesGascon sheplu sheplu Zen-cronic Zen-cronic
Multer vulnerable to Denial of Service via unhandled exception from malformed request High
CVE-2025-7338 was published for multer (npm) Jul 17, 2025
ctcpip Credited to ctcpip, UlisesGascon, and LinusU UlisesGascon UlisesGascon
LinusU LinusU
Multer vulnerable to Denial of Service via unhandled exception High
CVE-2025-48997 was published for multer (npm) Jun 5, 2025
bjohansebas Credited to bjohansebas, ctcpip, Markiz9999, UlisesGascon, wesleytodd, and LinusU ctcpip ctcpip
Markiz9999 Markiz9999 UlisesGascon UlisesGascon wesleytodd wesleytodd LinusU LinusU
Multer vulnerable to Denial of Service from maliciously crafted requests High
CVE-2025-47944 was published for multer (npm) May 19, 2025
max-mathieu Credited to max-mathieu, wesleytodd, ctcpip, UlisesGascon, marco-ippolito, and jonchurch wesleytodd wesleytodd
ctcpip ctcpip UlisesGascon UlisesGascon marco-ippolito marco-ippolito jonchurch jonchurch
Multer vulnerable to Denial of Service via memory leaks from unclosed streams High
CVE-2025-47935 was published for multer (npm) May 19, 2025
ctcpip Credited to ctcpip, UlisesGascon, and UnlimitedBytes UlisesGascon UlisesGascon
UnlimitedBytes UnlimitedBytes
basic-auth-connect's callback uses time unsafe string comparison High
CVE-2024-47178 was published for basic-auth-connect (npm) Sep 30, 2024
UlisesGascon Credited to UlisesGascon, ctcpip, AdamKorcz, and blakeembrey ctcpip ctcpip
AdamKorcz AdamKorcz blakeembrey blakeembrey
send vulnerable to template injection that can lead to XSS Low
CVE-2024-43799 was published for send (npm) Sep 10, 2024
AdamKorcz Credited to AdamKorcz, UlisesGascon, ctcpip, and wesleytodd UlisesGascon UlisesGascon
ctcpip ctcpip wesleytodd wesleytodd
serve-static vulnerable to template injection that can lead to XSS Low
CVE-2024-43800 was published for serve-static (npm) Sep 10, 2024
AdamKorcz Credited to AdamKorcz, UlisesGascon, ctcpip, and wesleytodd UlisesGascon UlisesGascon
ctcpip ctcpip wesleytodd wesleytodd
express vulnerable to XSS via response.redirect() Low
CVE-2024-43796 was published for express (npm) Sep 10, 2024
AdamKorcz Credited to AdamKorcz, UlisesGascon, ctcpip, and wesleytodd UlisesGascon UlisesGascon
ctcpip ctcpip wesleytodd wesleytodd
body-parser vulnerable to denial of service when url encoding is enabled High
CVE-2024-45590 was published for body-parser (npm) Sep 10, 2024
AdamKorcz Credited to AdamKorcz, UlisesGascon, ctcpip, and wesleytodd UlisesGascon UlisesGascon
ctcpip ctcpip wesleytodd wesleytodd
Express.js Open Redirect in malformed URLs Moderate
CVE-2024-29041 was published for express (npm) Mar 25, 2024
FDrag0n Credited to FDrag0n, jonchurch, blakeembrey, wesleytodd, ruddermann, ctcpip, and UlisesGascon jonchurch jonchurch
blakeembrey blakeembrey wesleytodd wesleytodd ruddermann ruddermann ctcpip ctcpip UlisesGascon UlisesGascon
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database