GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
2,189 advisories
Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection
Moderate
CVE-2026-41148
was published
for
mermaid
(npm)
May 11, 2026
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
Moderate
CVE-2026-44458
was published
for
hono
(npm)
May 9, 2026
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Moderate
CVE-2026-44457
was published
for
hono
(npm)
May 9, 2026
Electerm's full process.env exposed to renderer via window.pre.env
Moderate
CVE-2026-43942
was published
for
electerm
(npm)
May 8, 2026
fast-xml-builder Comment Value regex can be bypassed
Moderate
CVE-2026-44664
was published
for
fast-xml-builder
(npm)
May 8, 2026
vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`
Moderate
GHSA-2cm2-m3w5-gp2f
was published
for
vm2
(npm)
May 8, 2026
vm2's Transformer Fast-Path Bypass Exposes Internal State Variable
Moderate
CVE-2026-44003
was published
for
vm2
(npm)
May 7, 2026
vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak
Moderate
CVE-2026-44002
was published
for
vm2
(npm)
May 7, 2026
vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary
Moderate
CVE-2026-44000
was published
for
vm2
(npm)
May 7, 2026
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
Moderate
CVE-2026-44456
was published
for
hono
(npm)
May 6, 2026
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
Moderate
CVE-2026-44455
was published
for
hono
(npm)
May 6, 2026
ProTip!
Advisories are also available from the
GraphQL API