Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,831
Maven
5,000+
npm
4,462
NuGet
775
pip
4,226
Pub
12
RubyGems
972
Rust
1,093
Swift
47
Unreviewed advisories
All unreviewed
5,000+

671 advisories

Loading
svelte vulnerable to Cross-site Scripting Moderate
CVE-2025-15265 was published for svelte (npm) Jan 15, 2026
elliott-with-the-longest-name-on-github Rich-Harris
Credited to elliott-with-the-longest-name-on-github and Rich-Harris
Cross-Site Scripting in backbone Moderate
CVE-2016-10537 was published for backbone (npm) Feb 18, 2019
ljharb
Credited to ljharb
svelte is vulnerable to XSS with textarea bind:value High
GHSA-gw32-9rmw-qwww was published for svelte (npm) Jan 16, 2026
coyotte508 Conduitry
benmccann
Credited to coyotte508, Conduitry, and benmccann
Angular has XSS Vulnerability via Unsanitized SVG Script Attributes High
CVE-2026-22610 was published for @angular/compiler (npm) Jan 9, 2026
alan-agius4 josephperrott
AndrewKushnir jelbourn hybrist ShelbyKelley gkalpak
Credited to alan-agius4, josephperrott, AndrewKushnir, jelbourn, hybrist, ShelbyKelley, and gkalpak
jQuery vulnerable to Cross-Site Scripting (XSS) Moderate
CVE-2011-4969 was published for jQuery (RubyGems) May 14, 2022
jhutchings1 klaudialax
Credited to jhutchings1 and klaudialax
html2pdf.js contains a cross-site scripting vulnerability High
CVE-2026-22787 was published for html2pdf.js (npm) Jan 14, 2026
aydinnyunus eKoopmans
Credited to aydinnyunus and eKoopmans
Malicious website can execute commands on the local system through XSS in the OpenCode web UI Critical
CVE-2026-22813 was published for opencode-ai (npm) Jan 13, 2026
AlbertSPedersen
Credited to AlbertSPedersen
QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting Low
CVE-2026-0824 was published for @questdb/web-console (npm) Jan 10, 2026
Orejime has executable code in HTML attributes Low
CVE-2025-68457 was published for orejime (npm) Dec 19, 2025
Rudloff felixgirault
Credited to Rudloff and felixgirault
HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover High
CVE-2026-22704 was published for @haxtheweb/haxcms-nodejs (npm) Jan 13, 2026
August829
Credited to August829
React Router vulnerable to XSS via Open Redirects High
CVE-2026-22029 was published for @remix-run/router (npm) Jan 8, 2026
Oceandust
Credited to Oceandust
React Router SSR XSS in ScrollRestoration High
CVE-2026-21884 was published for @remix-run/react (npm) Jan 8, 2026
zaddy6 arthurgervais
Credited to zaddy6 and arthurgervais
React Router has XSS Vulnerability High
CVE-2025-59057 was published for @remix-run/react (npm) Jan 8, 2026
zaddy6 arthurgervais
Credited to zaddy6 and arthurgervais
Trix has a stored XSS vulnerability through its attachment attribute Moderate
GHSA-g9jg-w8vm-g96v was published for action_text-trix (RubyGems) Dec 31, 2025
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function High
CVE-2025-66648 was published for vega-functions (npm) Jan 5, 2026
nikolaybabiy hydrosquall
domoritz
Credited to nikolaybabiy, hydrosquall, and domoritz
Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope High
CVE-2025-65110 was published for vega-selections (npm) Jan 5, 2026
nickcopi hydrosquall
domoritz
Credited to nickcopi, hydrosquall, and domoritz
vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) Moderate
CVE-2024-6783 was published for vue-template-compiler (npm) Jul 23, 2024
sdesalas knutwannheden
Credited to sdesalas and knutwannheden
n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox High
CVE-2025-61914 was published for n8n (npm) Dec 26, 2025
nlgbao1340
Credited to nlgbao1340
Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature Low
GHSA-24v3-254g-jv85 was published for @tutao/tutanota-utils (npm) Dec 19, 2025
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables Moderate
CVE-2025-68115 was published for parse-server (npm) Dec 16, 2025
yueyueL mtrezza
Credited to yueyueL and mtrezza
Vuetify has a Cross-site Scripting (XSS) vulnerability in the VDatePicker component Moderate
CVE-2025-8082 was published for vuetify (npm) Dec 12, 2025
@tiptap/extension-link vulnerable to Cross-site Scripting (XSS) Low
CVE-2025-14284 was published for @tiptap/extension-link (npm) Dec 9, 2025
Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting) Moderate
GHSA-9x4v-xfq5-m8x5 was published for better-auth (npm) Feb 5, 2025
Eriner
Credited to Eriner
Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF' High
CVE-2025-65959 was published for open-webui (npm) Dec 4, 2025
pyozzi-toss L2VE
Credited to pyozzi-toss and L2VE
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes High
CVE-2025-66412 was published for @angular/compiler (npm) Dec 2, 2025
alan-agius4 securityMB
crisbeto devversion AKiileX AndrewKushnir
Credited to alan-agius4, securityMB, crisbeto, devversion, AKiileX, and AndrewKushnir
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database