Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,538
Maven
5,000+
npm
5,000+
NuGet
914
pip
4,790
Pub
13
RubyGems
1,037
Rust
1,232
Swift
53
Unreviewed advisories
All unreviewed
5,000+

10 advisories

Loading
@fastify/static vulnerable to path traversal in directory listing Moderate
CVE-2026-6410 was published for @fastify/static (npm) Apr 16, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/static vulnerable to route guard bypass via encoded path separators Moderate
CVE-2026-6414 was published for @fastify/static (npm) Apr 16, 2026
blakeembrey Credited to blakeembrey, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections Moderate
CVE-2026-3635 was published for fastify (npm) Mar 25, 2026
TinkAnet Credited to TinkAnet, climba03003, mcollina, and UlisesGascon climba03003 climba03003
mcollina mcollina UlisesGascon UlisesGascon
Undici has CRLF Injection in undici via `upgrade` option Moderate
CVE-2026-1527 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS Moderate
CVE-2026-2581 was published for undici (npm) Mar 13, 2026
jackhax Credited to jackhax, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici has an HTTP Request/Response Smuggling issue Moderate
CVE-2026-1525 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation Moderate
CVE-2026-3419 was published for fastify (npm) Mar 5, 2026
TarPeg007 Credited to TarPeg007, jsumners, mcollina, and UlisesGascon jsumners jsumners
mcollina mcollina UlisesGascon UlisesGascon
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion Moderate
CVE-2026-22036 was published for undici (npm) Jan 14, 2026
mcollina Credited to mcollina and illia-v illia-v illia-v
Use of Insufficiently Random Values in undici Moderate
CVE-2025-22150 was published for undici (npm) Jan 21, 2025
mcollina Credited to mcollina and parrot409 parrot409 parrot409
fetch(url) leads to a memory leak in undici Moderate
CVE-2024-24750 was published for undici (npm) Feb 16, 2024
mcollina Credited to mcollina
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database