Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,690
Maven
5,000+
npm
5,000+
NuGet
933
pip
4,928
Pub
13
RubyGems
1,053
Rust
1,322
Swift
53
Unreviewed advisories
All unreviewed
5,000+

120 advisories

Loading
webonyx/graphql-php has unbounded recursion in parser that causes stack overflow on crafted nested input High
GHSA-r7cg-qjjm-xhqq was published for webonyx/graphql-php (Composer) May 5, 2026
d0cs1s-bzhunt Credited to d0cs1s-bzhunt and BZHunt BZHunt BZHunt
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data Moderate
CVE-2026-42039 was published for axios (npm) May 5, 2026
fg0x0 Credited to fg0x0
Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer High
CVE-2026-41680 was published for marked (npm) Apr 29, 2026
MaanVader Credited to MaanVader
Apache Thrift Node.js bindings vulnerable to Uncontrolled Recursion High
CVE-2026-41636 was published for thrift (npm) Apr 28, 2026
liquidjs has a Denial of Service via circular block reference in layout High
CVE-2026-41311 was published for liquidjs (npm) Apr 24, 2026
1netvn Credited to 1netvn
xmldom: Uncontrolled recursion in XML serialization leads to DoS High
CVE-2026-41673 was published for @xmldom/xmldom (npm) Apr 22, 2026
Jvr2022 Credited to Jvr2022, praveen-kv, and KarimTantawey praveen-kv praveen-kv
KarimTantawey KarimTantawey
OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS) Low
CVE-2026-39396 was published for github.com/openbao/openbao (Go) Apr 21, 2026
n1rwhex Credited to n1rwhex
Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out) High
GHSA-f5v8-v6q3-q4h6 was published for Meridian.Mapping (NuGet) Apr 16, 2026
ChilliCream GraphQL Platform: Utf8GraphQLParser Stack Overflow via Deeply Nested GraphQL Documents Critical
CVE-2026-40324 was published for HotChocolate.Language (NuGet) Apr 16, 2026
BZHunt Credited to BZHunt
ImageMagick has a Stack Overflow via Recursive FX Expression Parsing Moderate
CVE-2026-33902 was published for Magick.NET-Q16-AnyCPU (NuGet) Apr 14, 2026
fumfel Credited to fumfel
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport) High
CVE-2026-40879 was published for @nestjs/microservices (npm) Apr 14, 2026
hwpark6804-gif Credited to hwpark6804-gif and kamilmysliwiec kamilmysliwiec kamilmysliwiec
ImageMagick has a Stack Overflow in DestroyXMLTree() High
CVE-2026-33908 was published for Magick.NET-Q16-AnyCPU (NuGet) Apr 14, 2026
unbengable12 Credited to unbengable12
FastFeedParser has an infinite redirect loop DoS via meta-refresh chain High
CVE-2026-39376 was published for fastfeedparser (pip) Apr 8, 2026
redyank Credited to redyank
@stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags High
GHSA-5jg4-p4qw-cgfr was published for @stablelib/cbor (npm) Apr 4, 2026
Jvr2022 Credited to Jvr2022
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser Moderate
CVE-2026-34211 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
offset Credited to offset
C2C CI utils is vulnerable to DoS via pyasn dependency (CVE-2026-30922) High
GHSA-wcjx-v2wj-xg87 was published for c2cciutils (pip) Mar 26, 2026
smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines Moderate
GHSA-v3rj-xjv7-4jmq was published for smol-toml (npm) Mar 25, 2026
0xkakash1 Credited to 0xkakash1
yaml is vulnerable to Stack Overflow via deeply nested YAML collections Moderate
CVE-2026-33532 was published for yaml (npm) Mar 25, 2026
kq5y Credited to kq5y and peaktwilight peaktwilight peaktwilight
Scriban has Uncontrolled Recursion in `object.to_json` Causing Unrecoverable Process Crash via StackOverflowException High
GHSA-xcx6-vp38-8hr5 was published for Scriban (NuGet) Mar 24, 2026
offset Credited to offset
Scriban has a Stack Overflow via Nested Array Initializers That Bypass the ExpressionDepthLimit Fix High
GHSA-p6q4-fgr8-vx4p was published for Scriban (NuGet) Mar 24, 2026
pawlos Credited to pawlos
cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads High
CVE-2026-26209 was published for cbor2 (pip) Mar 23, 2026
romanticpragmatism Credited to romanticpragmatism
Parse Server LiveQuery subscription query depth bypass High
CVE-2026-33508 was published for parse-server (npm) Mar 20, 2026
mith36 Credited to mith36 and mtrezza mtrezza mtrezza
Parse Server has a query condition depth bypass via pre-validation transform pipeline High
CVE-2026-33498 was published for parse-server (npm) Mar 20, 2026
nikoladzekic Credited to nikoladzekic and mtrezza mtrezza mtrezza
Scriban has an Infinite Recursion during Object Rendering Leads to Stack Overflow and Process Crash (Denial of Service) High
GHSA-grr9-747v-xvcp was published for scriban (NuGet) Mar 19, 2026
skdishansachin Credited to skdishansachin
Scriban has Uncontrolled Recursion in Parser Leads to Stack Overflow and Process Crash (Denial of Service) High
GHSA-wgh7-7m3c-fx25 was published for scriban (NuGet) Mar 19, 2026
skdishansachin Credited to skdishansachin
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database