GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
6,465 advisories
Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`
Low
GHSA-rq7w-g337-39qq
was published
for
nuxt
(npm)
Jun 15, 2026
markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
Moderate
CVE-2026-48988
was published
for
markdown-it
(npm)
Jun 15, 2026
OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
Moderate
CVE-2026-54285
was published
for
@opentelemetry/core
(npm)
Jun 15, 2026
Nest: Middleware Bypass on Fastify via Trailing Slash
High
CVE-2026-54281
was published
for
@nestjs/platform-fastify
(npm)
Jun 15, 2026
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
Moderate
CVE-2026-48125
was published
for
ua-parser-js
(npm)
Jun 15, 2026
protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names
High
CVE-2026-54271
was published
for
protobufjs-cli
(npm)
Jun 15, 2026
protobufjs: Memory amplification from preserved unknown fields in binary decode
Moderate
CVE-2026-54270
was published
for
protobufjs
(npm)
Jun 15, 2026
DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output
Low
GHSA-vxr8-fq34-vvx9
was published
for
dompurify
(npm)
Jun 15, 2026
React Router: Potential CSRF via PUT/PATCH/DELETE document requests
Low
CVE-2026-53663
was published
for
@remix-run/server-runtime
(npm)
Jun 15, 2026
DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside <template> content when using DOM output modes
Low
GHSA-gvmj-g25r-r7wr
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
Moderate
CVE-2026-49978
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
Moderate
GHSA-76mc-f452-cxcm
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
Moderate
CVE-2026-49458
was published
for
dompurify
(npm)
Jun 15, 2026
DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
Moderate
CVE-2026-49459
was published
for
dompurify
(npm)
Jun 15, 2026
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection
Moderate
GHSA-268h-hp4c-crq3
was published
for
nodemailer
(npm)
Jun 15, 2026
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization
Moderate
GHSA-wqvq-jvpq-h66f
was published
for
nodemailer
(npm)
Jun 15, 2026
Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception
Moderate
GHSA-r7g4-qg5f-qqm2
was published
for
nodemailer
(npm)
Jun 15, 2026
protobufjs: Denial of service through unbounded Any expansion during JSON conversion
High
CVE-2026-48712
was published
for
protobufjs
(npm)
Jun 15, 2026
protobufjs : Schema-derived names can shadow runtime-significant properties
Moderate
CVE-2026-54269
was published
for
protobufjs
(npm)
Jun 15, 2026
form-data: CRLF injection in form-data via unescaped multipart field names and filenames
High
CVE-2026-12143
was published
for
form-data
(npm)
Jun 15, 2026
@angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker
High
CVE-2026-54264
was published
for
@angular/service-worker
(npm)
Jun 15, 2026
ProTip!
Advisories are also available from the
GraphQL API