@openzeppelin/contracts-upgradeable vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2025-54070Medium@openzeppelin/contracts: OpenZeppelin Contracts Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffersCVE-2024-27094Medium@openzeppelin/contracts: OpenZeppelin Contracts base64 encoding may read from potentially dirty memoryCVE-2023-49798Medium@openzeppelin/contracts: OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4CVE-2023-40014Medium@openzeppelin/contracts: OpenZeppelin Contracts vulnerable to Improper Escaping of OutputCVE-2023-34459Medium@openzeppelin/contracts: OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific treesCVE-2023-34234Medium@openzeppelin/contracts: OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunningCVE-2023-30542High@openzeppelin/contracts: GovernorCompatibilityBravo may trim proposal calldataCVE-2023-30541Medium@openzeppelin/contracts: OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegatedCVE-2023-26488Medium@openzeppelin/contracts: OpenZeppelin Contracts contains Incorrect CalculationCVE-2022-35961High@openzeppelin/contracts: OpenZeppelin Contracts vulnerable to ECDSA signature malleabilityCVE-2022-31198High@openzeppelin/contracts: OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposalsCVE-2022-35916Medium@openzeppelin/contracts: OpenZeppelin Contracts's Cross chain utilities for Arbitrum L2 see EOA calls as cross chain callsCVE-2022-35915Medium@openzeppelin/contracts: OpenZeppelin Contracts ERC165Checker unbounded gas consumptionCVE-2022-31172High@openzeppelin/contracts: OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signersCVE-2022-31170High@openzeppelin/contracts: OpenZeppelin Contracts's ERC165Checker may revert instead of returning falseGHSA-7J52-6FJP-58GRLow@openzeppelin/contracts-upgradeable: Inconsistent storage layout for ERC2771ContextUpgradeableGHSA-M6W8-FQ7V-PH4MMedium@openzeppelin/contracts: GovernorCompatibilityBravo incorrect ABI encoding may lead to unexpected behaviorCVE-2022-39384Medium@openzeppelin/contracts: OpenZeppelin Contracts initializer reentrancy may lead to double initializationGHSA-WMPV-C2JP-J2XGLow@openzeppelin/contracts: ERC1155Supply vulnerability in OpenZeppelin ContractsCVE-2021-41264Critical@openzeppelin/contracts: UUPSUpgradeable vulnerability in @openzeppelin/contractsGHSA-Q4H9-46XG-M3X9Critical@openzeppelin/contracts-upgradeable: UUPSUpgradeable vulnerability in @openzeppelin/contracts-upgradeableCVE-2021-39168Critical@openzeppelin/contracts-upgradeable: TimelockController vulnerability in OpenZeppelin Contracts

Stop the waste.
Protect your environment with Kodem.