GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
26 advisories
XSS via prototype pollution in NodeBB
Critical
CVE-2021-43787
was published
for
nodebb
(npm)
Nov 30, 2021
Unsafe defaults in `remark-html`
Critical
CVE-2021-39199
was published
for
remark-html
(npm)
Sep 7, 2021
Cross-Site Scripting in swagger-ui
Critical
GHSA-g336-c7wv-8hp3
was published
for
swagger-ui
(npm)
Sep 1, 2020
external-svg-loader Cross-site Scripting vulnerability
Critical
CVE-2023-40013
was published
for
external-svg-loader
(npm)
Aug 14, 2023
Cross-site Scripting in @spscommerce/ds-react
Critical
GHSA-cfxh-frx4-9gjg
was published
for
@spscommerce/ds-react
(npm)
Dec 15, 2023
NextChat has full-read SSRF and XSS vulnerability in /api/cors endpoint
Critical
CVE-2023-49785
was published
for
nextchat
(npm)
Aug 5, 2024
Cross-site scripting in Swagger-UI
Critical
CVE-2019-17495
was published
for
io.springfox:springfox-swagger-ui
(Maven)
Oct 15, 2019
happy-dom allows for server side code to be executed by a <script> tag
Critical
CVE-2024-51757
was published
for
happy-dom
(npm)
Nov 6, 2024
Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc
Critical
CVE-2025-24981
was published
for
@nuxtjs/mdc
(npm)
Feb 6, 2025
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
Critical
CVE-2025-50538
was published
for
flowise
(npm)
Oct 3, 2025
Malicious website can execute commands on the local system through XSS in the OpenCode web UI
Critical
CVE-2026-22813
was published
for
opencode-ai
(npm)
Jan 13, 2026
Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE
Critical
GHSA-cr3w-cw5w-h3fj
was published
for
@saltcorn/server
(npm)
Jan 26, 2026
ProTip!
Advisories are also available from the
GraphQL API