GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,078 advisories
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection
High
GHSA-2r2p-4cgf-hv7h
was published
for
engramx
(npm)
Apr 22, 2026
Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write
High
GHSA-r466-rxw4-3j9j
was published
for
@evomap/evolver
(npm)
Apr 22, 2026
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution
Critical
GHSA-j5w5-568x-rq53
was published
for
@evomap/evolver
(npm)
Apr 22, 2026
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations
Moderate
GHSA-2cjr-5v3h-v2w4
was published
for
@evomap/evolver
(npm)
Apr 22, 2026
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
Moderate
GHSA-w5hq-g745-h8pq
was published
for
uuid
(npm)
Apr 22, 2026
MCPHub has Path Traversal via Malicious MCPB Manifest Name
High
GHSA-p3h2-2j4p-p83g
was published
for
@samanhappy/mcphub
(npm)
Apr 22, 2026
xmldom: Uncontrolled recursion in XML serialization leads to DoS
High
CVE-2026-41673
was published
for
@xmldom/xmldom
(npm)
Apr 22, 2026
xmldom has XML injection through unvalidated DocumentType serialization
High
CVE-2026-41674
was published
for
@xmldom/xmldom
(npm)
Apr 22, 2026
xmldom has XML node injection through unvalidated processing instruction serialization
High
CVE-2026-41675
was published
for
@xmldom/xmldom
(npm)
Apr 22, 2026
xmldom has XML node injection through unvalidated comment serialization
High
CVE-2026-41672
was published
for
@xmldom/xmldom
(npm)
Apr 22, 2026
@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading
High
CVE-2026-41640
was published
for
@nocobase/database
(npm)
Apr 22, 2026
@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call
High
CVE-2026-41641
was published
for
@nocobase/plugin-collection-sql
(npm)
Apr 22, 2026
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
Moderate
CVE-2026-41650
was published
for
fast-xml-parser
(npm)
Apr 22, 2026
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Moderate
CVE-2026-41591
was published
for
@marko/runtime-tags
(npm)
Apr 22, 2026
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
Moderate
CVE-2026-41240
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Moderate
CVE-2026-41239
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Moderate
CVE-2026-41238
was published
for
dompurify
(npm)
Apr 22, 2026
Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader
High
GHSA-89v5-38xr-9m4j
was published
for
postiz
(npm)
Mar 27, 2026
ProTip!
Advisories are also available from the
GraphQL API