Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,049
Maven
5,000+
npm
4,787
NuGet
825
pip
4,384
Pub
12
RubyGems
988
Rust
1,144
Swift
50
Unreviewed advisories
All unreviewed
5,000+

16 advisories

Loading
SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only) Low
GHSA-fpg4-jhqr-589c was published for @sveltejs/kit (npm) Feb 28, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and jviide jviide jviide
Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers Moderate
CVE-2026-27902 was published for svelte (npm) Feb 26, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, and maksyche KarimPwnz KarimPwnz
maksyche maksyche
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent` Moderate
CVE-2026-27901 was published for svelte (npm) Feb 26, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and KarimPwnz KarimPwnz KarimPwnz
CPU exhaustion in SvelteKit remote form deserialization (experimental only) Moderate
GHSA-88qp-p4qg-rqm6 was published for @sveltejs/kit (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Memory exhaustion in SvelteKit remote form deserialization (experimental only) Moderate
GHSA-vrhm-gvg7-fpcf was published for @sveltejs/kit (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
devalue affected by CPU and memory amplification from sparse arrays Low
GHSA-33hq-fvwr-56pm was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed Low
GHSA-8qm3-746x-r74r was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Svelte SSR attribute spreading includes inherited properties from prototype chain Moderate
CVE-2026-27125 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Svelte SSR does not validate dynamic element tag names in `<svelte:element>` Moderate
CVE-2026-27122 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Svelte affected by cross-site scripting via spread attributes in Svelte SSR Moderate
CVE-2026-27121 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Svelte affected by XSS in SSR `<option>` element Moderate
CVE-2026-27119 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Cache poisoning in @sveltejs/adapter-vercel Moderate
CVE-2026-27118 was published for @sveltejs/adapter-vercel (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse High
CVE-2026-22775 was published for devalue (npm) Jan 15, 2026
jviide Credited to jviide, elliott-with-the-longest-name-on-github, and Rich-Harris elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Rich-Harris Rich-Harris
svelte vulnerable to Cross-site Scripting Moderate
CVE-2025-15265 was published for svelte (npm) Jan 15, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, Rich-Harris, and caverav Rich-Harris Rich-Harris
caverav caverav
@sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sveltekit-formdata) High
CVE-2026-22803 was published for @sveltejs/kit (npm) Jan 15, 2026
hashcoko Credited to hashcoko, ottomated, and elliott-with-the-longest-name-on-github ottomated ottomated
elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse High
CVE-2026-22774 was published for devalue (npm) Jan 15, 2026
jviide Credited to jviide, elliott-with-the-longest-name-on-github, and Rich-Harris elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Rich-Harris Rich-Harris
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database