Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,831
Maven
5,000+
npm
4,462
NuGet
775
pip
4,226
Pub
12
RubyGems
972
Rust
1,093
Swift
47
Unreviewed advisories
All unreviewed
5,000+

4,103 advisories

Loading
svelte is vulnerable to XSS with textarea bind:value High
GHSA-gw32-9rmw-qwww was published for svelte (npm) Jan 16, 2026
coyotte508 Conduitry
benmccann
Credited to coyotte508, Conduitry, and benmccann
CakePHP PaginatorHelper::limitControl() vulnerable to reflected cross-site-scripting Moderate
CVE-2026-23643 was published for cakephp/cakephp (Composer) Jan 16, 2026
phpcss-ankue markstory
Credited to phpcss-ankue and markstory
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload Moderate
CVE-2026-23645 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 16, 2026
jaroslaw-wawiorko
Credited to jaroslaw-wawiorko
Dask Distributed is Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard Moderate
CVE-2026-23528 was published for distributed (pip) Jan 16, 2026
PlantUML is vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams Low
CVE-2026-0858 was published for net.sourceforge.plantuml:plantuml (Maven) Jan 16, 2026
solspace/craft-freeform Vulnerable to XSS in `PhpSpreadsheet` HTML Writer Due to Unsanitized Styling Data Low
GHSA-44jg-mv3h-wj6g was published for solspace/craft-freeform (Composer) Jan 15, 2026
riekusdn
Credited to riekusdn
svelte vulnerable to Cross-site Scripting Moderate
CVE-2025-15265 was published for svelte (npm) Jan 15, 2026
elliott-with-the-longest-name-on-github Rich-Harris
Credited to elliott-with-the-longest-name-on-github and Rich-Harris
html2pdf.js contains a cross-site scripting vulnerability High
CVE-2026-22787 was published for html2pdf.js (npm) Jan 14, 2026
aydinnyunus eKoopmans
Credited to aydinnyunus and eKoopmans
Malicious website can execute commands on the local system through XSS in the OpenCode web UI Critical
CVE-2026-22813 was published for opencode-ai (npm) Jan 13, 2026
AlbertSPedersen
Credited to AlbertSPedersen
HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover High
CVE-2026-22704 was published for @haxtheweb/haxcms-nodejs (npm) Jan 13, 2026
August829
Credited to August829
Label Studio is vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field High
CVE-2026-22033 was published for label-studio (pip) Jan 12, 2026
david3107
Credited to david3107
QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting Low
CVE-2026-0824 was published for @questdb/web-console (npm) Jan 10, 2026
October CMS Vulnerable to Stored XSS via Branding Styles Moderate
CVE-2025-61676 was published for october/system (Composer) Jan 9, 2026
nakkouchtarek daftspunk
Credited to nakkouchtarek and daftspunk
Angular has XSS Vulnerability via Unsanitized SVG Script Attributes High
CVE-2026-22610 was published for @angular/compiler (npm) Jan 9, 2026
alan-agius4 josephperrott
AndrewKushnir jelbourn hybrist ShelbyKelley gkalpak
Credited to alan-agius4, josephperrott, AndrewKushnir, jelbourn, hybrist, ShelbyKelley, and gkalpak
October CMS Vulnerable to Stored XSS via Editor and Branding Styles Moderate
CVE-2025-61674 was published for october/system (Composer) Jan 9, 2026
nakkouchtarek daftspunk
Credited to nakkouchtarek and daftspunk
Salvo is vulnerable to reflected XSS in the list_html function High
CVE-2026-22256 was published for salvo (Rust) Jan 8, 2026
AhmedMokhtari mwlik
imenyoo2
Credited to AhmedMokhtari, mwlik, and imenyoo2
Salvo is vulnerable to stored XSS in the list_html function by uploading files with malicious names High
CVE-2026-22257 was published for salvo (Rust) Jan 8, 2026
AhmedMokhtari imenyoo2
mwlik
Credited to AhmedMokhtari, imenyoo2, and mwlik
React Router vulnerable to XSS via Open Redirects High
CVE-2026-22029 was published for @remix-run/router (npm) Jan 8, 2026
Oceandust
Credited to Oceandust
React Router SSR XSS in ScrollRestoration High
CVE-2026-21884 was published for @remix-run/react (npm) Jan 8, 2026
zaddy6 arthurgervais
Credited to zaddy6 and arthurgervais
React Router has XSS Vulnerability High
CVE-2025-59057 was published for @remix-run/react (npm) Jan 8, 2026
zaddy6 arthurgervais
Credited to zaddy6 and arthurgervais
NiceGUI apps which use `ui.sub_pages` vulnerable to zero-click XSS High
CVE-2026-21873 was published for nicegui (pip) Jan 8, 2026
evnchn falkoschindler
Credited to evnchn and falkoschindler
NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links Moderate
CVE-2026-21872 was published for nicegui (pip) Jan 8, 2026
evnchn xx-mikusan-xx
falkoschindler
Credited to evnchn, xx-mikusan-xx, and falkoschindler
NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace() Moderate
CVE-2026-21871 was published for nicegui (pip) Jan 8, 2026
xx-mikusan-xx evnchn
falkoschindler
Credited to xx-mikusan-xx, evnchn, and falkoschindler
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function High
CVE-2025-66648 was published for vega-functions (npm) Jan 5, 2026
nikolaybabiy hydrosquall
domoritz
Credited to nikolaybabiy, hydrosquall, and domoritz
Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope High
CVE-2025-65110 was published for vega-selections (npm) Jan 5, 2026
nickcopi hydrosquall
domoritz
Credited to nickcopi, hydrosquall, and domoritz
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database