GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
6,686 advisories
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
High
GHSA-qrv3-253h-g69c
was published
for
pnpm
(npm)
Jun 27, 2026
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run
Moderate
CVE-2026-55180
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)
High
CVE-2026-50015
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
Moderate
CVE-2026-50017
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
High
CVE-2026-50016
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Git Fetch Argument Injection via Lockfile resolution.commit
Moderate
CVE-2026-50014
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field
Moderate
CVE-2026-50021
was published
for
pnpm
(npm)
Jun 26, 2026
pnpm: Unsafe default behavior breaks integrity check
Moderate
CVE-2026-50573
was published
for
pnpm
(npm)
Jun 26, 2026
js-toml has silent type confusion via falsy-primitive duplicate-key bypass
Moderate
CVE-2026-50029
was published
for
js-toml
(npm)
Jun 26, 2026
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter
Moderate
CVE-2026-49336
was published
for
@microsoft/kiota-http-fetchlibrary
(npm)
Jun 26, 2026
js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
High
CVE-2026-49293
was published
for
js-toml
(npm)
Jun 26, 2026
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
Moderate
CVE-2026-48995
was published
for
pnpm
(npm)
Jun 26, 2026
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url
Low
GHSA-rp72-5v5q-2446
was published
for
@cardano402/mcp-server
(npm)
Jun 26, 2026
better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server
High
GHSA-3p34-w4f6-5xh2
was published
for
better-helperjs
(npm)
Jun 26, 2026
Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key
High
GHSA-fhp4-pr5j-46m5
was published
for
muhammara
(npm)
Jun 26, 2026
LinkifyIt#match scan loop has quadratic algorithmic complexity
High
CVE-2026-48801
was published
for
linkify-it
(npm)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API