GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,304 advisories
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization
Moderate
GHSA-h8r8-wccr-v5f2
was published
for
dompurify
(npm)
Mar 27, 2026
n8n has XSS in its Credential Management Flow
Moderate
GHSA-364x-8g5j-x2pr
was published
for
n8n
(npm)
Mar 27, 2026
n8n has XSS in Chat Trigger Node through Custom CSS
Moderate
GHSA-3c7f-5hgj-h279
was published
for
n8n
(npm)
Mar 27, 2026
n8n: Authenticated XSS and Open Redirect via Form Node
Moderate
GHSA-w673-8fjw-457c
was published
for
n8n
(npm)
Mar 27, 2026
n8n has a Stored XSS Vulnerability in its Form Trigger
Moderate
GHSA-q4fm-pjq6-m63g
was published
for
n8n
(npm)
Mar 27, 2026
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
Moderate
CVE-2026-33916
was published
for
handlebars
(npm)
Mar 26, 2026
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag
Moderate
CVE-2026-33883
was published
for
statamic/cms
(Composer)
Mar 26, 2026
n8n Vulnerable to XSS via Binary Data Inline HTML Rendering
Moderate
CVE-2026-33749
was published
for
n8n
(npm)
Mar 26, 2026
AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field
Moderate
CVE-2026-33683
was published
for
wwbn/avideo
(Composer)
Mar 25, 2026
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
Moderate
CVE-2026-33628
was published
for
invoiceninja/invoiceninja
(Composer)
Mar 24, 2026
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
Moderate
CVE-2026-33500
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php
Moderate
CVE-2026-33499
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel
Moderate
GHSA-xgx4-2wgv-4jhm
was published
for
@pdfme/schemas
(npm)
Mar 20, 2026
league/commonmark has an embed extension allowed_domains bypass
Moderate
CVE-2026-33347
was published
for
league/commonmark
(Composer)
Mar 19, 2026
SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials
Moderate
CVE-2026-33311
was published
for
@dicebear/core
(npm)
Mar 19, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk
Moderate
CVE-2026-33230
was published
for
nltk
(pip)
Mar 18, 2026
JustHTML has a Sanitizer Bypass (in Markdown)
Moderate
GHSA-3rcm-vjrc-p45j
was published
for
justhtml
(pip)
Mar 18, 2026
JustHTML Affected by Mutation XSS via Literal Text Serialization in Raw Text Elements (style/script)
Moderate
GHSA-qvc2-mg72-jjhx
was published
for
justhtml
(pip)
Mar 18, 2026
Avo has a XSS vulnerability on `return_to` param
Moderate
CVE-2026-33209
was published
for
avo
(RubyGems)
Mar 18, 2026
Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution
Moderate
CVE-2026-33140
was published
for
pyspector
(pip)
Mar 18, 2026
Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas
Moderate
GHSA-87v3-4cfp-cm76
was published
for
@pdfme/schemas
(npm)
Mar 18, 2026
Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas
Moderate
GHSA-qq9g-96v4-m3cj
was published
for
@pdfme/schemas
(npm)
Mar 18, 2026
ProTip!
Advisories are also available from the
GraphQL API