Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,692 advisories

Loading
@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754 High
CVE-2026-48795 was published for @adonisjs/bodyparser (npm) Jun 30, 2026
EchoSkorJjj Credited to EchoSkorJjj
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation High
CVE-2026-49473 was published for @cedar-policy/authorization-for-expressjs (npm) Jun 30, 2026
5h1kh4r Credited to 5h1kh4r
pnpm: `patch-remove` could delete project-selected files outside the patches directory High
GHSA-72r4-9c5j-mj57 was published for pnpm (npm) Jun 27, 2026
pnpm: Hoisted install imports lockfile alias outside node_modules High
GHSA-fr4h-3cph-29xv was published for pnpm (npm) Jun 27, 2026
pnpm: Reserved bin name deletes PNPM_HOME during global remove Moderate
CVE-2026-55699 was published for pnpm (npm) Jun 26, 2026
pnpm: Repository-controlled configDependencies can select a pacquet native install engine High
CVE-2026-55697 was published for pnpm (npm) Jun 26, 2026
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle High
CVE-2026-55487 was published for pnpm (npm) Jun 26, 2026
mldangelo-oai Credited to mldangelo-oai
pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File (Path Traversal) High
CVE-2026-50015 was published for pnpm (npm) Jun 26, 2026
tempcollab Credited to tempcollab
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry Moderate
CVE-2026-50017 was published for pnpm (npm) Jun 26, 2026
mosskappa Credited to mosskappa
aszx87410 Credited to aszx87410
pnpm: Git Fetch Argument Injection via Lockfile resolution.commit Moderate
CVE-2026-50014 was published for pnpm (npm) Jun 26, 2026
tempcollab Credited to tempcollab
pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field Moderate
CVE-2026-50021 was published for pnpm (npm) Jun 26, 2026
tempcollab Credited to tempcollab
pnpm: Unsafe default behavior breaks integrity check Moderate
CVE-2026-50573 was published for pnpm (npm) Jun 26, 2026
aszx87410 Credited to aszx87410
js-toml has silent type confusion via falsy-primitive duplicate-key bypass Moderate
CVE-2026-50029 was published for js-toml (npm) Jun 26, 2026
CosmicCrusader23 Credited to CosmicCrusader23
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter Moderate
CVE-2026-49336 was published for @microsoft/kiota-http-fetchlibrary (npm) Jun 26, 2026
tonghuaroot Credited to tonghuaroot, baywet, and adrian05-ms baywet baywet
adrian05-ms adrian05-ms
tonghuaroot Credited to tonghuaroot
Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication High
CVE-2026-49357 was published for line-desktop-mcp (npm) Jun 26, 2026
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile Moderate
CVE-2026-48995 was published for pnpm (npm) Jun 26, 2026
dsherret Credited to dsherret
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url Low
GHSA-rp72-5v5q-2446 was published for @cardano402/mcp-server (npm) Jun 26, 2026
MorganOnCode Credited to MorganOnCode
deepstream is vulnerable to prototype pollution Critical
CVE-2026-49252 was published for @deepstream/server (npm) Jun 26, 2026
better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server High
GHSA-3p34-w4f6-5xh2 was published for better-helperjs (npm) Jun 26, 2026
TurboRigby Credited to TurboRigby
ProTip! Advisories are also available from the GraphQL API