Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

293 advisories

Loading
Stored XSS in Memray-generated HTML reports via unescaped command-line metadata Low
CVE-2026-32722 was published for memray (pip) Mar 16, 2026
0xmrma Credited to 0xmrma
mo has a XSS via inline SVG script tags in Markdown rendering Low
GHSA-vccx-p757-pv6h was published for github.com/k1LoW/mo (Go) Mar 18, 2026
yagihash Credited to yagihash
Improper detection of disallowed URIs by Loofah `allowed_uri?` Low
GHSA-46fp-8f5p-pf2m was published for loofah (RubyGems) Mar 18, 2026
Podinfo affected by Arbitrary File Upload that leads to Stored Cross-Site Scripting (XSS) Low
CVE-2025-70849 was published for github.com/stefanprodan/podinfo (Go) Feb 3, 2026
stefanprodan Credited to stefanprodan
Unhead Vulnerable to Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity Low
CVE-2026-31873 was published for unhead (npm) Mar 12, 2026
simonkoeck Credited to simonkoeck
Copyparty has unexpected JavaScript execution via crafted URL to folder with `.prologue.html` Low
CVE-2026-32109 was published for copyparty (pip) Mar 12, 2026
thesanjok Credited to thesanjok
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page Low
GHSA-g3hp-vvqf-8vw6 was published for craftcms/cms (Composer) Mar 11, 2026
mHe4am Credited to mHe4am
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table Low
CVE-2026-29173 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
Craft Commerce has stored XSS in Craft Commerce Order Details Slideout Low
CVE-2026-29177 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag Low
CVE-2026-30830 was published for defuddle (npm) Mar 6, 2026
TinkAnet Credited to TinkAnet
mailparser vulnerable to Cross-site Scripting Low
CVE-2026-3455 was published for mailparser (npm) Mar 3, 2026
Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options Low
GHSA-4mgv-366x-qxvx was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
funadmin: XSS through Value argument in Backend Interface component Low
CVE-2026-2897 was published for funadmin/funadmin (Composer) Feb 22, 2026
Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type Low
GHSA-6j87-m5qx-9fqp was published for craftcms/cms (Composer) Feb 25, 2026
mHe4am Credited to mHe4am
Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue Low
CVE-2026-26188 was published for solspace/craft-freeform (Composer) Jan 22, 2026
Pr4v33N-Sec Credited to Pr4v33N-Sec and kjmartens kjmartens kjmartens
Craft CMS Vulnerable to Stored XSS in Entry Types Name Low
CVE-2026-25491 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am Credited to mHe4am
Winter CMS has Stored Cross-site Scripting (XSS) in Asset Manager Low
CVE-2026-22254 was published for winter/wn-cms-module (Composer) Feb 4, 2026
iamunixtz Credited to iamunixtz
Microweber Cross-site Scripting vulnerability Low
CVE-2025-70792 was published for microweber/microweber (Composer) Feb 5, 2026
Microweber has a Cross-site Scripting vulnerability Low
CVE-2025-70791 was published for microweber/microweber (Composer) Feb 5, 2026
Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names Low
CVE-2025-11966 was published for io.vertx:vertx-web (Maven) Oct 22, 2025
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon Low
CVE-2026-23847 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 21, 2026
jaroslaw-wawiorko Credited to jaroslaw-wawiorko
PlantUML is vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams Low
CVE-2026-0858 was published for net.sourceforge.plantuml:plantuml (Maven) Jan 16, 2026
solspace/craft-freeform Vulnerable to XSS in `PhpSpreadsheet` HTML Writer Due to Unsanitized Styling Data Low
GHSA-44jg-mv3h-wj6g was published for solspace/craft-freeform (Composer) Jan 15, 2026
riekusdn Credited to riekusdn
QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting Low
CVE-2026-0824 was published for @questdb/web-console (npm) Jan 10, 2026
Orejime has executable code in HTML attributes Low
CVE-2025-68457 was published for orejime (npm) Dec 19, 2025
Rudloff Credited to Rudloff and felixgirault felixgirault felixgirault
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database