GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,199
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
39 advisories
Filter by severity
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
Low
CVE-2026-11525
was published
for
undici
(npm)
Jun 19, 2026
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Moderate
CVE-2026-9679
was published
for
undici
(npm)
Jun 19, 2026
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
High
CVE-2026-6734
was published
for
undici
(npm)
Jun 19, 2026
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Low
CVE-2026-6733
was published
for
undici
(npm)
Jun 19, 2026
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Moderate
CVE-2026-9678
was published
for
undici
(npm)
Jun 18, 2026
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
High
CVE-2026-9675
was published
for
undici
(npm)
Jun 18, 2026
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
High
CVE-2026-6322
was published
for
fast-uri
(npm)
May 8, 2026
fast-uri vulnerable to path traversal via percent-encoded dot segments
High
CVE-2026-6321
was published
for
fast-uri
(npm)
May 8, 2026
@fastify/static vulnerable to path traversal in directory listing
Moderate
CVE-2026-6410
was published
for
@fastify/static
(npm)
Apr 16, 2026
@fastify/static vulnerable to route guard bypass via encoded path separators
Moderate
CVE-2026-6414
was published
for
@fastify/static
(npm)
Apr 16, 2026
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
High
CVE-2026-33804
was published
for
@fastify/middie
(npm)
Apr 16, 2026
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Critical
CVE-2026-33808
was published
for
@fastify/express
(npm)
Apr 16, 2026
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Critical
CVE-2026-33807
was published
for
@fastify/express
(npm)
Apr 16, 2026
Fastify's connection header abuse enables stripping of proxy-added headers
Critical
CVE-2026-33805
was published
for
@fastify/http-proxy
(npm)
Apr 16, 2026
Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header
High
CVE-2026-33806
was published
for
fastify
(npm)
Apr 15, 2026
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
Moderate
CVE-2026-3635
was published
for
fastify
(npm)
Mar 25, 2026
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
High
CVE-2026-1526
was published
for
undici
(npm)
Mar 13, 2026
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
High
CVE-2026-2229
was published
for
undici
(npm)
Mar 13, 2026
Undici has CRLF Injection in undici via `upgrade` option
Moderate
CVE-2026-1527
was published
for
undici
(npm)
Mar 13, 2026
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
Moderate
CVE-2026-2581
was published
for
undici
(npm)
Mar 13, 2026
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
High
CVE-2026-1528
was published
for
undici
(npm)
Mar 13, 2026
Undici has an HTTP Request/Response Smuggling issue
Moderate
CVE-2026-1525
was published
for
undici
(npm)
Mar 13, 2026
Mercurius's queryDepth limit bypassed for WebSocket subscriptions
Low
CVE-2026-30241
was published
for
mercurius
(npm)
Mar 6, 2026
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
Moderate
CVE-2026-3419
was published
for
fastify
(npm)
Mar 5, 2026
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware
High
CVE-2026-2880
was published
for
@fastify/middie
(npm)
Feb 28, 2026
ProTip!
Advisories are also available from the
GraphQL API