GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
120 advisories
Filter by severity
Gogs's Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS
Moderate
CVE-2026-52816
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
OctoPrint has XSS in its Suppressed Command Notifications
Moderate
CVE-2026-35163
was published
for
OctoPrint
(pip)
Jun 23, 2026
Gogs: XSS in .ipynb files renderer due to outdated notebookjs
High
GHSA-6vxv-wg6j-5qwp
was published
for
gogs.io/gogs
(Go)
Jun 19, 2026
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled
High
CVE-2026-55692
was published
for
starcitizenwiki/embedvideo
(Composer)
Jun 19, 2026
StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template
High
CVE-2026-55691
was published
for
starcitizenwiki/embedvideo
(Composer)
Jun 19, 2026
StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text
High
CVE-2026-55690
was published
for
starcitizenwiki/embedvideo
(Composer)
Jun 19, 2026
Astro: Reflected XSS via unescaped slot name
High
CVE-2026-50146
was published
for
astro
(npm)
Jun 16, 2026
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
High
CVE-2026-46492
was published
for
md-fileserver
(npm)
May 21, 2026
Open WebUI Has Stored Cross-Site Scripting in SVG Renderer
Moderate
CVE-2026-45346
was published
for
open-webui
(npm)
May 14, 2026
Weblate vulnerable to XSS via crafted Markdown
Moderate
CVE-2026-44264
was published
for
weblate
(pip)
May 7, 2026
YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers
High
CVE-2026-43939
was published
for
YAFNET.Core
(NuGet)
May 5, 2026
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
High
CVE-2026-43938
was published
for
YAFNET.Core
(NuGet)
May 5, 2026
@tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin
High
GHSA-g485-8j3v-p6x8
was published
for
@tdurieux/anonymous_github
(npm)
May 5, 2026
PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer
Moderate
CVE-2026-35453
was published
for
phpoffice/phpspreadsheet
(Composer)
Apr 28, 2026
XWiki has Reflected Cross-Site Scripting (XSS) in page history compare
Moderate
CVE-2026-40105
was published
for
org.xwiki.platform:xwiki-platform-web-templates
(Maven)
Apr 14, 2026
Home Assistant has stored XSS in Map-card through malicious device name
Low
CVE-2026-33044
was published
for
homeassistant
(pip)
Mar 27, 2026
OpenBao has Reflected XSS in its OIDC authentication error message
Critical
CVE-2026-33758
was published
for
github.com/openbao/openbao
(Go)
Mar 26, 2026
JustHTML is vulnerable to XSS via code fence breakout in <pre> content
High
GHSA-5vp3-3cg6-2rq3
was published
for
justhtml
(pip)
Mar 24, 2026
The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI
Moderate
CVE-2026-4267
was published
for
johnbillion/query-monitor
(Composer)
Mar 19, 2026
Filament Unvalidated Range and Values summarizer values can be used for XSS
High
CVE-2026-33080
was published
for
filament/tables
(Composer)
Mar 18, 2026
XSS in @leanprover/unicode-input-component
Low
CVE-2026-32732
was published
for
@leanprover/unicode-input-component
(npm)
Mar 16, 2026
LeafKit's HTML escaping may be skipped for Collection values, enabling XSS
Moderate
CVE-2026-28499
was published
for
github.com/vapor/leaf-kit
(Swift)
Mar 16, 2026
n8n Vulnerable to Stored XSS via Various Nodes
High
CVE-2026-27578
was published
for
n8n
(npm)
Feb 25, 2026
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
Moderate
CVE-2026-27116
was published
for
code.vikunja.io/api
(Go)
Feb 25, 2026
Vikunja Vulnerable to XSS Via Task Preview
High
CVE-2026-25935
was published
for
code.vikunja.io/api
(Go)
Feb 11, 2026
ProTip!
Advisories are also available from the
GraphQL API