Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,248
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,513
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

425 advisories

Loading
MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field High
CVE-2026-24490 was published for mobsf (pip) Jan 26, 2026
smaranchand Credited to smaranchand
GI-DocGen vulnerable to Reflected XSS via unescaped query strings Moderate
CVE-2025-11687 was published for gi-docgen (pip) Jan 26, 2026
Dask Distributed is Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard Moderate
CVE-2026-23528 was published for distributed (pip) Jan 16, 2026
Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field High
CVE-2026-22033 was published for label-studio (pip) Jan 12, 2026
david3107 Credited to david3107
NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS High
CVE-2026-21873 was published for nicegui (pip) Jan 8, 2026
evnchn Credited to evnchn and falkoschindler falkoschindler falkoschindler
NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links Moderate
CVE-2026-21872 was published for nicegui (pip) Jan 8, 2026
evnchn Credited to evnchn, xx-mikusan-xx, and falkoschindler xx-mikusan-xx xx-mikusan-xx
falkoschindler falkoschindler
NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace() Moderate
CVE-2026-21871 was published for nicegui (pip) Jan 8, 2026
xx-mikusan-xx Credited to xx-mikusan-xx, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
Mayan EDMS is vulnerable to XSS through the /authentication/ file Low
CVE-2025-14691 was published for mayan-edms (pip) Dec 15, 2025
NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content Moderate
CVE-2025-66470 was published for nicegui (pip) Dec 8, 2025
twmoon Credited to twmoon, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection Moderate
CVE-2025-66469 was published for nicegui (pip) Dec 8, 2025
twmoon Credited to twmoon, evnchn, and falkoschindler evnchn evnchn
falkoschindler falkoschindler
Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation Low
CVE-2025-65858 was published for calibreweb (pip) Dec 2, 2025
Spotipy has a XSS vulnerability in its OAuth callback server Low
CVE-2025-66040 was published for spotipy (pip) Dec 1, 2025
yueyueL Credited to yueyueL
OMERO.web uses jquery-form library, which may be vulnerable to XSS attack Low
GHSA-j4gv-6x9v-v23g was published for omero-web (pip) Nov 24, 2025
changedetection.io: Stored XSS in Watch update via API Low
CVE-2025-62780 was published for changedetection.io (pip) Nov 12, 2025
edoardottt Credited to edoardottt
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE High
CVE-2025-64495 was published for open-webui (npm) Nov 7, 2025
gg0h Credited to gg0h
OctoPrint vulnerable to XSS in Action Commands Notification and Prompt Moderate
CVE-2025-64187 was published for octoprint (pip) Nov 4, 2025
jacopotediosi Credited to jacopotediosi
FastMCP vulnerable to reflected XSS in client's callback page Moderate
CVE-2025-62800 was published for fastmcp (pip) Oct 29, 2025
an7y Credited to an7y
CKAN vulnerable to stored XSS in resource description Moderate
CVE-2025-54384 was published for ckan (pip) Oct 29, 2025
asifnawazminhas Credited to asifnawazminhas
Taguette vulnerable to cross-site scripting via tag name, tag description, document name and document description Moderate
CVE-2025-62528 was published for taguette (pip) Oct 20, 2025
emilvirkki Credited to emilvirkki
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name High
CVE-2025-62172 was published for homeassistant (pip) Oct 14, 2025
pwnpanda Credited to pwnpanda
pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters High
CVE-2025-61773 was published for pyload-ng (pip) Oct 9, 2025
odaysec Credited to odaysec
NiceGUI has a Reflected XSS Moderate
CVE-2025-53354 was published for nicegui (pip) Oct 3, 2025
oxqnd Credited to oxqnd
Indico vulnerable to Cross-Site Scripting via LaTeX math code Moderate
CVE-2025-59035 was published for indico (pip) Sep 10, 2025
ThiefMaster Credited to ThiefMaster
copyparty Reflected XSS via Filter Parameter Moderate
CVE-2025-54589 was published for copyparty (pip) Jul 31, 2025
Ju0x Credited to Ju0x
copyparty has DOM-Based XSS vulnerability when displaying multimedia metadata Moderate
CVE-2025-54423 was published for copyparty (pip) Jul 28, 2025
altperfect Credited to altperfect
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database