Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,248
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,513
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

575 advisories

Loading
AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php High
CVE-2026-33295 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
Filament Unvalidated Range and Values summarizer values can be used for XSS High
CVE-2026-33080 was published for filament/tables (Composer) Mar 18, 2026
danharrin Credited to danharrin
Statamic has Stored XSS via SVG Sanitization Bypass High
CVE-2026-33172 was published for statamic/cms (Composer) Mar 18, 2026
FilipeGaudard Credited to FilipeGaudard
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries High
CVE-2026-32728 was published for parse-server (npm) Mar 16, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Angular vulnerable to XSS in i18n attribute bindings High
CVE-2026-32635 was published for @angular/compiler (npm) Mar 13, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, securityMB, josephperrott, crisbeto, and hdtmccallie AndrewKushnir AndrewKushnir
securityMB securityMB josephperrott josephperrott crisbeto crisbeto hdtmccallie hdtmccallie
OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose") High
CVE-2026-32308 was published for oneuptime (npm) Mar 13, 2026
restriction Credited to restriction
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload High
CVE-2026-30948 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking High
CVE-2026-29175 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse) High
CVE-2026-30934 was published for github.com/gtsteffaniak/filebrowser (Go) Mar 9, 2026
lulaide Credited to lulaide
Gogs: DOM-based XSS via milestone selection High
CVE-2026-26276 was published for gogs.io/gogs (Go) Mar 5, 2026
odgrso Credited to odgrso
Gogs: Stored XSS via data URI in issue comments High
CVE-2026-26022 was published for gogs.io/gogs (Go) Mar 5, 2026
dxlerYT Credited to dxlerYT
Gokapi has Stored XSS in SVG Hotlinks High
CVE-2026-28683 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover High
CVE-2026-29192 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish and livio-a livio-a livio-a
XWiki Blog Application home page vulnerable to Stored XSS via Post Title High
CVE-2025-66024 was published for org.xwiki.contrib.blog:application-blog-ui (Maven) Mar 4, 2026
lukasz-rybak Credited to lukasz-rybak
Statamic vulnerable to privilege escalation via stored cross-site scripting High
CVE-2026-28426 was published for statamic/cms (Composer) Mar 1, 2026
Angular i18n vulnerable to Cross-Site Scripting High
CVE-2026-27970 was published for @angular/core (npm) Feb 27, 2026
AndrewKushnir Credited to AndrewKushnir, josephperrott, alan-agius4, and dgp1130 josephperrott josephperrott
alan-agius4 alan-agius4 dgp1130 dgp1130
CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage High
CVE-2026-26862 was published for clevertap-web-sdk (npm) Feb 27, 2026
CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function High
CVE-2026-26861 was published for clevertap-web-sdk (npm) Feb 27, 2026
Storybook Dev Server is Vulnerable to WebSocket Hijacking High
CVE-2026-27148 was published for storybook (npm) Feb 26, 2026
Aikido-Security Credited to Aikido-Security, reindaelman, grumpinout1, and JorianWoltjer reindaelman reindaelman
grumpinout1 grumpinout1 JorianWoltjer JorianWoltjer
Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure High
CVE-2026-27616 was published for code.vikunja.io/api (Go) Feb 25, 2026
iamsampathk Credited to iamsampathk and sudo0xksh sudo0xksh sudo0xksh
n8n Vulnerable to Stored XSS via Various Nodes High
CVE-2026-27578 was published for n8n (npm) Feb 25, 2026
ori-ron Credited to ori-ron, Aikido-Security, and nil340 Aikido-Security Aikido-Security
nil340 nil340
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function High
CVE-2026-25733 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
Rucio WebUI has a Reflected Cross-site Scripting Vulnerability High
CVE-2026-25136 was published for rucio-webui (pip) Feb 25, 2026
d-woosley Credited to d-woosley
New API has Potential XSS in its MarkdownRenderer component High
CVE-2026-25802 was published for github.com/QuantumNous/new-api (Go) Feb 23, 2026
small-lovely-cat Credited to small-lovely-cat, TechnologyStar, t0ng7u, and Calcium-Ion TechnologyStar TechnologyStar
t0ng7u t0ng7u Calcium-Ion Calcium-Ion
Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS) High
CVE-2026-2472 was published for google-cloud-aiplatform (pip) Feb 20, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database