GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
6,687 advisories
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
High
GHSA-qrv3-253h-g69c
was published
for
pnpm
(npm)
pnpm: `patch-remove` could delete project-selected files outside the patches directory
High
GHSA-72r4-9c5j-mj57
was published
for
pnpm
(npm)
pnpm: Hoisted install imports lockfile alias outside node_modules
High
GHSA-fr4h-3cph-29xv
was published
for
pnpm
(npm)
pnpm: `stage download` writes outside its destination directory via manifest name/version traversal
High
CVE-2026-55700
was published
for
pnpm
(npm)
pnpm: Reserved bin name deletes PNPM_HOME during global remove
Moderate
CVE-2026-55699
was published
for
pnpm
(npm)
pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes
High
CVE-2026-55698
was published
for
pnpm
(npm)
pnpm: Repository-controlled configDependencies can select a pacquet native install engine
High
CVE-2026-55697
was published
for
pnpm
(npm)
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
High
CVE-2026-55487
was published
for
pnpm
(npm)
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run
Moderate
CVE-2026-55180
was published
for
pnpm
(npm)
pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)
High
CVE-2026-50015
was published
for
pnpm
(npm)
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
Moderate
CVE-2026-50017
was published
for
pnpm
(npm)
pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
High
CVE-2026-50016
was published
for
pnpm
(npm)
pnpm: Git Fetch Argument Injection via Lockfile resolution.commit
Moderate
CVE-2026-50014
was published
for
pnpm
(npm)
pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field
Moderate
CVE-2026-50021
was published
for
pnpm
(npm)
pnpm: Unsafe default behavior breaks integrity check
Moderate
CVE-2026-50573
was published
for
pnpm
(npm)
js-toml has silent type confusion via falsy-primitive duplicate-key bypass
Moderate
CVE-2026-50029
was published
for
js-toml
(npm)
@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter
Moderate
CVE-2026-49336
was published
for
@microsoft/kiota-http-fetchlibrary
(npm)
js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
High
CVE-2026-49293
was published
for
js-toml
(npm)
Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication
High
CVE-2026-49357
was published
for
line-desktop-mcp
(npm)
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
Moderate
CVE-2026-48995
was published
for
pnpm
(npm)
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url
Low
GHSA-rp72-5v5q-2446
was published
for
@cardano402/mcp-server
(npm)
deepstream is vulnerable to prototype pollution
Critical
CVE-2026-49252
was published
for
@deepstream/server
(npm)
better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server
High
GHSA-3p34-w4f6-5xh2
was published
for
better-helperjs
(npm)
Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key
High
GHSA-fhp4-pr5j-46m5
was published
for
muhammara
(npm)
LinkifyIt#match scan loop has quadratic algorithmic complexity
High
CVE-2026-48801
was published
for
linkify-it
(npm)
ProTip!
Advisories are also available from the
GraphQL API