GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
42 advisories
Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`
High
CVE-2026-54002
was published
for
getkirby/cms
(Composer)
Jun 18, 2026
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
High
CVE-2026-46492
was published
for
md-fileserver
(npm)
May 21, 2026
Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
High
CVE-2026-45314
was published
for
open-webui
(pip)
May 14, 2026
Magento LTS: Reflected XSS - Import -> Data Flow (profiles)
Moderate
CVE-2026-42458
was published
for
openmage/magento-lts
(Composer)
May 6, 2026
n8n Vulnerable to XSS via MCP OAuth client
High
CVE-2026-42235
was published
for
n8n
(npm)
Apr 29, 2026
DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload
High
CVE-2026-40321
was published
for
DotNetNuke.Core
(NuGet)
Apr 10, 2026
YesWiki has Persistent Blind XSS at "/?BazaR&vue=consulter"
High
CVE-2026-34598
was published
for
yeswiki/yeswiki
(Composer)
Apr 1, 2026
Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
Moderate
CVE-2026-27120
was published
for
github.com/vapor/leaf-kit
(Swift)
Feb 19, 2026
Contao is vulnerable to cross-site scripting in templates
Low
CVE-2025-65961
was published
for
contao/core-bundle
(Composer)
Nov 25, 2025
bagisto has Cross Site Scripting (XSS) in Create New Customer
Moderate
CVE-2025-62414
was published
for
bagisto/bagisto
(Composer)
Oct 16, 2025
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
Moderate
CVE-2025-62418
was published
for
bagisto/bagisto
(Composer)
Oct 16, 2025
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
Moderate
CVE-2025-62415
was published
for
bagisto/bagisto
(Composer)
Oct 16, 2025
Node-SAML SAML Authentication Bypass
Critical
CVE-2025-54369
was published
for
@node-saml/node-saml
(npm)
Jul 25, 2025
Hax CMS Stored Cross-Site Scripting vulnerability
High
CVE-2025-49137
was published
for
elmsln/haxcms
(Composer)
Jun 9, 2025
Gokapi vulnerable to stored XSS via uploading file with malicious file name
Moderate
CVE-2025-48494
was published
for
github.com/forceu/gokapi
(Go)
Jun 3, 2025
Gokapi has stored XSS vulnerability in friendly name for API keys
Moderate
CVE-2025-48495
was published
for
github.com/forceu/gokapi
(Go)
Jun 3, 2025
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]
Moderate
CVE-2025-27793
was published
for
vega
(npm)
Mar 27, 2025
ProTip!
Advisories are also available from the
GraphQL API