Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,831
Maven
5,000+
npm
4,462
NuGet
775
pip
4,226
Pub
12
RubyGems
972
Rust
1,093
Swift
47
Unreviewed advisories
All unreviewed
5,000+

186 advisories

Loading
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload Moderate
CVE-2026-23645 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 16, 2026
jaroslaw-wawiorko
Credited to jaroslaw-wawiorko
Mattermost Server vulnerable to XSS via an uploaded file Moderate
CVE-2017-18904 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to XSS through display name field Moderate
CVE-2017-18893 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover Moderate
CVE-2026-21483 was published for github.com/knadh/listmonk (Go) Jan 2, 2026
PlayerIUnknown
Credited to PlayerIUnknown
Reflected XSS in go-httpbin due to unrestricted client control over Content-Type Low
CVE-2025-45286 was published for github.com/mccutchen/go-httpbin (Go) Mar 21, 2025
AyushXtha
Credited to AyushXtha
Duplicate Advisory: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type Low
GHSA-p4f6-h8jj-vfvf was published for github.com/mccutchen/go-httpbin (Go) Jan 2, 2026 withdrawn
Libredesk has Improper Neutralization of HTML Tags in a Web Page High
CVE-2025-68927 was published for github.com/abhinavxd/libredesk (Go) Dec 16, 2025
PlayerIUnknown
Credited to PlayerIUnknown
Gitea vulnerable to Cross-site Scripting Moderate
CVE-2025-68946 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text Moderate
CVE-2025-68942 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Algernon Cross-Site Scripting vulnerability Moderate
CVE-2025-65754 was published for github.com/xyproto/algernon (Go) Dec 10, 2025
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login High
CVE-2025-67495 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
amit-laish peintnermax
livio-a
Credited to amit-laish, peintnermax, and livio-a
Mattermost Server is vulnerable to XSS through author_link field in Slack attachments Moderate
CVE-2017-18879 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page Moderate
CVE-2017-18877 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode Moderate
CVE-2025-64716 was published for github.com/TecharoHQ/anubis (Go) Oct 30, 2025
nijel mbiesiad
Credited to nijel and mbiesiad
Mattermost Server allows XSS via CSRF Moderate
CVE-2016-11084 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution Moderate
CVE-2016-11083 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to XSS through crafted links Moderate
CVE-2016-11082 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server allows XSS via redirect URL Moderate
CVE-2016-11079 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` Moderate
CVE-2016-11071 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to XSS via a Legal or Support setting Moderate
CVE-2016-11073 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to XSS through customizable theme color-code values Moderate
CVE-2016-11070 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server vulnerable to Cross-site Scripting through file preview feature Moderate
CVE-2016-11063 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover High
CVE-2025-58430 was published for github.com/knadh/listmonk (Go) Sep 9, 2025
r3verii
Credited to r3verii
Memos Vulnerable to Stored Cross-Site Scripting Moderate
CVE-2025-56761 was published for github.com/usememos/memos (Go) Sep 4, 2025
Gokapi has stored XSS vulnerability in friendly name for API keys Moderate
CVE-2025-48495 was published for github.com/forceu/gokapi (Go) Jun 3, 2025
Forceu
Credited to Forceu
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database