Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

532 advisories

Loading
MikroORM has Prototype Pollution in Utils.merge High
CVE-2026-34221 was published for @mikro-orm/core (npm) Mar 29, 2026
lukas-eu Credited to lukas-eu
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry Moderate
GHSA-7rx3-28cr-v5wh was published for handlebars (npm) Mar 29, 2026
TinkAnet Credited to TinkAnet
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521 Moderate
CVE-2026-33994 was published for locutus (npm) Mar 27, 2026
gtsp233 Credited to gtsp233
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize() Moderate
CVE-2026-33993 was published for locutus (npm) Mar 27, 2026
offset Credited to offset
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection Moderate
CVE-2026-33916 was published for handlebars (npm) Mar 26, 2026
ByamB4 Credited to ByamB4
Convict has Prototype Pollution via startsWith() function Critical
CVE-2026-33864 was published for convict (npm) Mar 26, 2026
kevgeoleo Credited to kevgeoleo, vdata1, reallyTG, fkiriakos07, toufali, and clouserw vdata1 vdata1
reallyTG reallyTG fkiriakos07 fkiriakos07 toufali toufali clouserw clouserw
Convict has prototype pollution via load(), loadFile(), and schema initialization Critical
CVE-2026-33863 was published for convict (npm) Mar 26, 2026
toufali Credited to toufali and clouserw clouserw clouserw
n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE Critical
CVE-2026-33696 was published for n8n (npm) Mar 26, 2026
simonkoeck Credited to simonkoeck
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching Moderate
CVE-2026-33672 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4, danez, and doowb danez danez
doowb doowb
Prototype Pollution via parse() in NodeJS flatted High
CVE-2026-33228 was published for flatted (npm) Mar 19, 2026
yohannslm Credited to yohannslm
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy Moderate
CVE-2026-32878 was published for parse-server (npm) Mar 17, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Parse Server's Cloud function dispatch crashes server via prototype chain traversal High
CVE-2026-32886 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Elysia Cookie Value Prototype Pollution Moderate
CVE-2026-31865 was published for elysia (npm) Mar 17, 2026
ebadfd Credited to ebadfd
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization Critical
CVE-2026-32621 was published for @apollo/federation-internals (npm) Mar 13, 2026
r3dbrothers Credited to r3dbrothers
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties Low
GHSA-mwv9-gp5h-frr4 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, wim-vercel, and mattiasljungstrom KarimPwnz KarimPwnz
wim-vercel wim-vercel mattiasljungstrom mattiasljungstrom
devalue has prototype pollution in devalue.parse and devalue.unflatten Moderate
CVE-2026-30226 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, and jviide KarimPwnz KarimPwnz
jviide jviide
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) Moderate
GHSA-v8w9-8mx6-g223 was published for hono (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution High
CVE-2026-30939 was published for parse-server (npm) Mar 10, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Immutable is vulnerable to Prototype Pollution High
CVE-2026-29063 was published for immutable (npm) Mar 4, 2026
davkharrr Credited to davkharrr and FeBe95 FeBe95 FeBe95
OpenClaw's runtime /debug override path accepted prototype-reserved keys Low
CVE-2026-27524 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization Critical
CVE-2026-28794 was published for @orpc/client (npm) Mar 2, 2026
mnixry Credited to mnixry
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform() Moderate
CVE-2026-27837 was published for dottie (npm) Feb 26, 2026
76embiid21 Credited to 76embiid21
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed Low
GHSA-8qm3-746x-r74r was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Prototype pollution in swiper Critical
CVE-2026-27212 was published for swiper (npm) Feb 19, 2026
kevgeoleo Credited to kevgeoleo, vdata1, and reallyTG vdata1 vdata1
reallyTG reallyTG
A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04.... High Unreviewed
CVE-2025-70956 was published Feb 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database