Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

128 advisories

Loading
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions Moderate
CVE-2026-44490 was published for axios (npm) May 29, 2026
Tal-Gav Credited to Tal-Gav
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not... Moderate Unreviewed
CVE-2026-9101 was published May 20, 2026
protobuf.js: Prototype injection in generated message constructors Moderate
CVE-2026-44292 was published for protobufjs (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys Moderate
GHSA-4c35-wcg5-mm9h was published for next-intl (npm) May 6, 2026
offset Credited to offset
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy Moderate
CVE-2026-42041 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` Moderate
CVE-2026-42044 was published for axios (npm) May 5, 2026
August829 Credited to August829
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations Moderate
CVE-2026-42077 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback Moderate
CVE-2026-41238 was published for dompurify (npm) Apr 22, 2026
trace37labs Credited to trace37labs
Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization Moderate
CVE-2026-6594 was published for @brikcss/merge (npm) Apr 20, 2026
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution Moderate
CVE-2026-5758 was published for protocol-buffers-schema (npm) Apr 15, 2026
Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an... Moderate Unreviewed
CVE-2026-34626 was published Apr 14, 2026
LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()` Moderate
CVE-2026-40190 was published for langsmith (npm) Apr 10, 2026
OneThing4101 Credited to OneThing4101
DOMPurify USE_PROFILES prototype pollution allows event handlers Moderate
GHSA-cj63-jhhr-wcxv was published for dompurify (npm) Apr 3, 2026
christos-eth Credited to christos-eth
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` Moderate
CVE-2026-2950 was published for lodash (npm) Apr 1, 2026
Haruna38 Credited to Haruna38, shpik-kr, maru1009, ott3r07, zolbooo, backuardo, falsyvalues, jonchurch, jdalton, and UlisesGascon shpik-kr shpik-kr
maru1009 maru1009 ott3r07 ott3r07 zolbooo zolbooo backuardo backuardo falsyvalues falsyvalues jonchurch jonchurch jdalton jdalton UlisesGascon UlisesGascon
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521 Moderate
CVE-2026-33994 was published for locutus (npm) Mar 27, 2026
gtsp233 Credited to gtsp233
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize() Moderate
CVE-2026-33993 was published for locutus (npm) Mar 27, 2026
offset Credited to offset
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry Moderate
GHSA-7rx3-28cr-v5wh was published for handlebars (npm) Mar 29, 2026
TinkAnet Credited to TinkAnet
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection Moderate
CVE-2026-33916 was published for handlebars (npm) Mar 26, 2026
ByamB4 Credited to ByamB4
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching Moderate
CVE-2026-33672 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4, danez, and doowb danez danez
doowb doowb
Elysia Cookie Value Prototype Pollution Moderate
CVE-2026-31865 was published for elysia (npm) Mar 17, 2026
ebadfd Credited to ebadfd
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy Moderate
CVE-2026-32878 was published for parse-server (npm) Mar 17, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
devalue has prototype pollution in devalue.parse and devalue.unflatten Moderate
CVE-2026-30226 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, and jviide KarimPwnz KarimPwnz
jviide jviide
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) Moderate
GHSA-v8w9-8mx6-g223 was published for hono (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform() Moderate
CVE-2026-27837 was published for dottie (npm) Feb 26, 2026
76embiid21 Credited to 76embiid21
JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js Moderate
CVE-2025-61140 was published for jsonpath (npm) Jan 28, 2026
gabrielmendes98 Credited to gabrielmendes98
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database