GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
765 advisories
Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS
High
CVE-2026-40171
was published
for
@jupyter-notebook/help-extension
(npm)
Apr 30, 2026
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
Moderate
CVE-2026-41305
was published
for
postcss
(npm)
Apr 24, 2026
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Moderate
CVE-2026-41591
was published
for
@marko/runtime-tags
(npm)
Apr 22, 2026
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
Moderate
CVE-2026-41240
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Moderate
CVE-2026-41239
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Moderate
CVE-2026-41238
was published
for
dompurify
(npm)
Apr 22, 2026
Astro: XSS in define:vars via incomplete </script> tag sanitization
Moderate
CVE-2026-41067
was published
for
astro
(npm)
Apr 21, 2026
Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization
Moderate
GHSA-fpw4-p57j-hqmq
was published
for
@paperclipai/ui
(npm)
Apr 16, 2026
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
Moderate
CVE-2026-40186
was published
for
sanitize-html
(npm)
Apr 16, 2026
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
High
CVE-2026-35569
was published
for
apostrophe
(npm)
Apr 16, 2026
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context
Moderate
CVE-2026-33889
was published
for
apostrophe
(npm)
Apr 16, 2026
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
Moderate
GHSA-458j-xx4x-4375
was published
for
hono
(npm)
Apr 16, 2026
Novu has a XSS sanitization bypass
High
GHSA-26wg-9xf2-q495
was published
for
novu/api
(npm)
Apr 14, 2026
unhead: Streaming SSR `streamKey` injected into inline script without identifier validation
Low
GHSA-x7mm-9vvv-64w8
was published
for
unhead
(npm)
Apr 10, 2026
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
Low
GHSA-ccgf-5rwj-j3hv
was published
for
telejson
(npm)
Apr 2, 2026
dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
High
CVE-2026-34725
was published
for
dbgate-web
(npm)
Apr 1, 2026
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization
Moderate
GHSA-h8r8-wccr-v5f2
was published
for
dompurify
(npm)
Mar 27, 2026
ProTip!
Advisories are also available from the
GraphQL API