Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,334 advisories

Loading
CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization Moderate
CVE-2026-39392 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List Moderate
CVE-2026-39391 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
CI4MS has stored XSS via srcdoc attribute bypass in Google Maps iframe setting Moderate
CVE-2026-39390 was published for ci4-cms-erp/ci4ms (Composer) Apr 8, 2026
offset Credited to offset
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface Moderate
CVE-2026-33865 was published for mlflow (pip) Apr 7, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module Moderate
CVE-2026-31313 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Page Sign parameter Moderate
CVE-2026-31350 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has authenticated stored cross-site scripting (XSS) vulnerabilities via the Permissions module Moderate
CVE-2026-31354 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Category module Moderate
CVE-2026-31353 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the Role Management module Moderate
CVE-2026-31352 was published for feehi/cms (Composer) Apr 6, 2026
Feehi CMS has an authenticated stored cross-site scripting (XSS) vulnerability via the creation/editing module Moderate
CVE-2026-31351 was published for feehi/cms (Composer) Apr 6, 2026
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page Moderate
CVE-2026-39367 was published for wwbn/avideo (Composer) Apr 8, 2026
offset Credited to offset
Emissary has Stored XSS via Navigation Template Link Injection Moderate
CVE-2026-35571 was published for gov.nsa.emissary:emissary (Maven) Apr 7, 2026
BrennanTM Credited to BrennanTM
Hugo: Certain markdown links are not properly escaped Moderate
CVE-2026-35166 was published for github.com/gohugoio/hugo (Go) Apr 3, 2026
cataliniovita Credited to cataliniovita
D-Tale: Remote Code Execution through redis/shelf storage Moderate
CVE-2026-35052 was published for dtale (pip) Apr 3, 2026
QiaoNPC Credited to QiaoNPC
phpMyFAQ: SVG Sanitizer Bypass via HTML Entity Encoding Leads to Stored XSS and Privilege Escalation Moderate
CVE-2026-34974 was published for thorsten/phpmyfaq (Composer) Apr 1, 2026
0xmanhnv Credited to 0xmanhnv
phpMyFAQ: Stored XSS via Regex Bypass in Filter::removeAttributes() Moderate
CVE-2026-34729 was published for phpmyfaq/phpmyfaq (Composer) Apr 1, 2026
ik0z Credited to ik0z
phpMyFAQ is Vulnerable to Stored XSS via Unsanitized Email Field in Admin FAQ Editor Moderate
CVE-2026-32629 was published for phpmyfaq/phpmyfaq (Composer) Mar 31, 2026
CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Moderate
CVE-2026-34562 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend and LAW6ZX7 LAW6ZX7 LAW6ZX7
CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Moderate
CVE-2026-34561 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend and LAW6ZX7 LAW6ZX7 LAW6ZX7
File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection Moderate
CVE-2026-34530 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
tomasvanagas Credited to tomasvanagas
Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes Moderate
CVE-2026-34405 was published for nuxt-og-image (npm) Mar 31, 2026
Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode Moderate
CVE-2026-35539 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
n8n has XSS in Chat Trigger Node through Custom CSS Moderate
GHSA-3c7f-5hgj-h279 was published for n8n (npm) Mar 27, 2026
JorianWoltjer Credited to JorianWoltjer and ioaniftimesei ioaniftimesei ioaniftimesei
AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php Moderate
CVE-2026-34739 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin Moderate
GHSA-gmpc-fxg2-vcmq was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database