GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
11 advisories
Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`
High
CVE-2026-23897
was published
for
@apollo/server
(npm)
Feb 4, 2026
node-tar has a race condition leading to uninitialized memory exposure
Moderate
CVE-2025-64118
was published
for
tar
(npm)
Oct 30, 2025
sha.js is missing type checks leading to hash rewind and passing on crafted data
Critical
CVE-2025-9288
was published
for
sha.js
(npm)
Aug 21, 2025
cipher-base is missing type checks, leading to hash rewind and passing on crafted data
Critical
CVE-2025-9287
was published
for
cipher-base
(npm)
Aug 21, 2025
tiny-secp256k1 allows for verify() bypass when running in bundled environment
High
CVE-2024-49365
was published
for
tiny-secp256k1
(npm)
Jun 30, 2025
tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment
High
CVE-2024-49364
was published
for
tiny-secp256k1
(npm)
Jun 30, 2025
pbkdf2 silently disregards Uint8Array input, returning static keys
Critical
CVE-2025-6547
was published
for
pbkdf2
(npm)
Jun 23, 2025
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
Critical
CVE-2025-6545
was published
for
pbkdf2
(npm)
Jun 23, 2025
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
Critical
GHSA-vjh7-7g9h-fjfh
was published
for
elliptic
(npm)
Feb 12, 2025
pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
Moderate
CVE-2024-53866
was published
for
pnpm
(npm)
Dec 10, 2024
secp256k1-node allows private key extraction over ECDH
High
CVE-2024-48930
was published
for
secp256k1
(npm)
Oct 21, 2024
ProTip!
Advisories are also available from the
GraphQL API