GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
46 advisories
multiparty vulnerable to ReDoS via filename parsing
High
CVE-2026-8159
was published
for
multiparty
(npm)
May 18, 2026
multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
High
CVE-2026-8162
was published
for
multiparty
(npm)
May 18, 2026
multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception
High
CVE-2026-8161
was published
for
multiparty
(npm)
May 18, 2026
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
Moderate
CVE-2026-6402
was published
for
webpack-dev-server
(npm)
May 18, 2026
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
High
CVE-2026-6322
was published
for
fast-uri
(npm)
May 8, 2026
fast-uri vulnerable to path traversal via percent-encoded dot segments
High
CVE-2026-6321
was published
for
fast-uri
(npm)
May 8, 2026
@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth
High
CVE-2026-7768
was published
for
@fastify/accepts-serializer
(npm)
May 8, 2026
@fastify/static vulnerable to path traversal in directory listing
Moderate
CVE-2026-6410
was published
for
@fastify/static
(npm)
Apr 16, 2026
@fastify/static vulnerable to route guard bypass via encoded path separators
Moderate
CVE-2026-6414
was published
for
@fastify/static
(npm)
Apr 16, 2026
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
Critical
CVE-2026-6270
was published
for
@fastify/middie
(npm)
Apr 16, 2026
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
High
CVE-2026-33804
was published
for
@fastify/middie
(npm)
Apr 16, 2026
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Critical
CVE-2026-33808
was published
for
@fastify/express
(npm)
Apr 16, 2026
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Critical
CVE-2026-33807
was published
for
@fastify/express
(npm)
Apr 16, 2026
Fastify's connection header abuse enables stripping of proxy-added headers
Critical
CVE-2026-33805
was published
for
@fastify/http-proxy
(npm)
Apr 16, 2026
Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header
High
CVE-2026-33806
was published
for
fastify
(npm)
Apr 15, 2026
lodash vulnerable to Code Injection via `_.template` imports key names
High
CVE-2026-4800
was published
for
lodash
(npm)
Apr 1, 2026
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
Moderate
CVE-2026-2950
was published
for
lodash
(npm)
Apr 1, 2026
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
Moderate
CVE-2026-4923
was published
for
path-to-regexp
(npm)
Mar 27, 2026
path-to-regexp vulnerable to Denial of Service via sequential optional groups
High
CVE-2026-4926
was published
for
path-to-regexp
(npm)
Mar 27, 2026
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
High
CVE-2026-4867
was published
for
path-to-regexp
(npm)
Mar 27, 2026
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
Moderate
CVE-2026-3635
was published
for
fastify
(npm)
Mar 25, 2026
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
High
CVE-2026-1526
was published
for
undici
(npm)
Mar 13, 2026
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
High
CVE-2026-2229
was published
for
undici
(npm)
Mar 13, 2026
Undici has CRLF Injection in undici via `upgrade` option
Moderate
CVE-2026-1527
was published
for
undici
(npm)
Mar 13, 2026
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
Moderate
CVE-2026-2581
was published
for
undici
(npm)
Mar 13, 2026
ProTip!
Advisories are also available from the
GraphQL API