Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,153
Maven
5,000+
npm
5,000+
NuGet
861
pip
4,451
Pub
12
RubyGems
991
Rust
1,179
Swift
50
Unreviewed advisories
All unreviewed
5,000+

518 advisories

Loading
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties Low
GHSA-mwv9-gp5h-frr4 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, wim-vercel, and mattiasljungstrom KarimPwnz KarimPwnz
wim-vercel wim-vercel mattiasljungstrom mattiasljungstrom
devalue has prototype pollution in devalue.parse and devalue.unflatten Moderate
CVE-2026-30226 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, and jviide KarimPwnz KarimPwnz
jviide jviide
Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) Moderate
GHSA-v8w9-8mx6-g223 was published for hono (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution High
CVE-2026-30939 was published for parse-server (npm) Mar 10, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Immutable is vulnerable to Prototype Pollution High
CVE-2026-29063 was published for immutable (npm) Mar 4, 2026
davkharrr Credited to davkharrr and FeBe95 FeBe95 FeBe95
OpenClaw's runtime /debug override path accepted prototype-reserved keys Low
GHSA-62f6-mrcj-v8h5 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization Critical
CVE-2026-28794 was published for @orpc/client (npm) Mar 2, 2026
mnixry Credited to mnixry
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform() Moderate
CVE-2026-27837 was published for dottie (npm) Feb 26, 2026
76embiid21 Credited to 76embiid21
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed Low
GHSA-8qm3-746x-r74r was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Prototype pollution in swiper Critical
CVE-2026-27212 was published for swiper (npm) Feb 19, 2026
kevgeoleo Credited to kevgeoleo, vdata1, and reallyTG vdata1 vdata1
reallyTG reallyTG
A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04.... High Unreviewed
CVE-2025-70956 was published Feb 14, 2026
set-in Affected by Prototype Pollution Critical
CVE-2026-26021 was published for set-in (npm) Feb 11, 2026
kevgeoleo Credited to kevgeoleo, vdata1, and reallyTG vdata1 vdata1
reallyTG reallyTG
CASL Ability is Vulnerable to Prototype Pollution Critical
CVE-2026-1774 was published for @casl/ability (npm) Feb 10, 2026
@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) Critical
CVE-2026-25881 was published for @nyariv/sandboxjs (npm) Feb 10, 2026
k14uz Credited to k14uz
AdonisJS multipart body parsing has Prototype Pollution issue High
CVE-2026-25754 was published for @adonisjs/bodyparser (npm) Feb 6, 2026
RomainLanz Credited to RomainLanz
Prototype Pollution via FormData Processing in Qwik City Critical
CVE-2026-25150 was published for @builder.io/qwik-city (npm) Feb 3, 2026
yueyueL Credited to yueyueL
locutus is vulnerable to Prototype Pollution Critical
CVE-2026-25521 was published for locutus (npm) Feb 2, 2026
kevgeoleo Credited to kevgeoleo, reallyTG, vdata1, and cristianstaicu reallyTG reallyTG
vdata1 vdata1 cristianstaicu cristianstaicu
SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE Critical
CVE-2026-25142 was published for @nyariv/sandboxjs (npm) Feb 2, 2026
c0rydoras Credited to c0rydoras
deepHas vulnerable to Prototype Pollution via constructor.prototype Critical
CVE-2026-25047 was published for deephas (npm) Jan 29, 2026
kevgeoleo Credited to kevgeoleo, vdata1, and reallyTG vdata1 vdata1
reallyTG reallyTG
Maker.js has Unsafe Property Copying in makerjs.extendObject Moderate
CVE-2026-24888 was published for makerjs (npm) Jan 29, 2026
hayageek Credited to hayageek
NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS Moderate
CVE-2026-24766 was published for nocodb (npm) Jan 28, 2026
cp-57 Credited to cp-57
JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js Moderate
CVE-2025-61140 was published for jsonpath (npm) Jan 28, 2026
gabrielmendes98 Credited to gabrielmendes98
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions Moderate
CVE-2025-13465 was published for lodash (npm) Jan 21, 2026
lukas-eu Credited to lukas-eu, ljharb, UlisesGascon, falsyvalues, and jdalton ljharb ljharb
UlisesGascon UlisesGascon falsyvalues falsyvalues jdalton jdalton
seroval Affected by Prototype Pollution via JSON Deserialization High
CVE-2026-23736 was published for seroval (npm) Jan 21, 2026
lxsmnsyc Credited to lxsmnsyc and tweidinger tweidinger tweidinger
apidoc-core has a prototype pollution vulnerability Critical
CVE-2025-13158 was published for apidoc-core (npm) Dec 26, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database