Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

120 advisories

Loading
Gogs's Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS Moderate
CVE-2026-52816 was published for gogs.io/gogs (Go) Jun 23, 2026
JLGitHub66 Credited to JLGitHub66
OctoPrint has XSS in its Suppressed Command Notifications Moderate
CVE-2026-35163 was published for OctoPrint (pip) Jun 23, 2026
jacopotediosi Credited to jacopotediosi
Gogs: XSS in .ipynb files renderer due to outdated notebookjs High
GHSA-6vxv-wg6j-5qwp was published for gogs.io/gogs (Go) Jun 19, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, and grumpinout1 JorianWoltjer JorianWoltjer
grumpinout1 grumpinout1
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled High
CVE-2026-55692 was published for starcitizenwiki/embedvideo (Composer) Jun 19, 2026
StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template High
CVE-2026-55691 was published for starcitizenwiki/embedvideo (Composer) Jun 19, 2026
StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text High
CVE-2026-55690 was published for starcitizenwiki/embedvideo (Composer) Jun 19, 2026
Astro: Reflected XSS via unescaped slot name High
CVE-2026-50146 was published for astro (npm) Jun 16, 2026
floudeciel Credited to floudeciel
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed) High
CVE-2026-46492 was published for md-fileserver (npm) May 21, 2026
kiwi865 Credited to kiwi865
Open WebUI Has Stored Cross-Site Scripting in SVG Renderer Moderate
CVE-2026-45346 was published for open-webui (npm) May 14, 2026
ZoczuS Credited to ZoczuS
Weblate vulnerable to XSS via crafted Markdown Moderate
CVE-2026-44264 was published for weblate (pip) May 7, 2026
nijel Credited to nijel
MuhammadUwais Credited to MuhammadUwais
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header High
CVE-2026-43938 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
@tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin High
GHSA-g485-8j3v-p6x8 was published for @tdurieux/anonymous_github (npm) May 5, 2026
jackfromeast Credited to jackfromeast and P3ngu1nW P3ngu1nW P3ngu1nW
PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer Moderate
CVE-2026-35453 was published for phpoffice/phpspreadsheet (Composer) Apr 28, 2026
marduc812 Credited to marduc812
XWiki has Reflected Cross-Site Scripting (XSS) in page history compare Moderate
CVE-2026-40105 was published for org.xwiki.platform:xwiki-platform-web-templates (Maven) Apr 14, 2026
mikecole-mg Credited to mikecole-mg
Home Assistant has stored XSS in Map-card through malicious device name Low
CVE-2026-33044 was published for homeassistant (pip) Mar 27, 2026
pwnpanda Credited to pwnpanda
OpenBao has Reflected XSS in its OIDC authentication error message Critical
CVE-2026-33758 was published for github.com/openbao/openbao (Go) Mar 26, 2026
gianklug Credited to gianklug
JustHTML is vulnerable to XSS via code fence breakout in <pre> content High
GHSA-5vp3-3cg6-2rq3 was published for justhtml (pip) Mar 24, 2026
AlfinJ0se Credited to AlfinJ0se
The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI Moderate
CVE-2026-4267 was published for johnbillion/query-monitor (Composer) Mar 19, 2026
Filament Unvalidated Range and Values summarizer values can be used for XSS High
CVE-2026-33080 was published for filament/tables (Composer) Mar 18, 2026
danharrin Credited to danharrin
XSS in @leanprover/unicode-input-component Low
CVE-2026-32732 was published for @leanprover/unicode-input-component (npm) Mar 16, 2026
LeafKit's HTML escaping may be skipped for Collection values, enabling XSS Moderate
CVE-2026-28499 was published for github.com/vapor/leaf-kit (Swift) Mar 16, 2026
iCMDdev Credited to iCMDdev, gwynne, and 0xTim gwynne gwynne
0xTim 0xTim
n8n Vulnerable to Stored XSS via Various Nodes High
CVE-2026-27578 was published for n8n (npm) Feb 25, 2026
ori-ron Credited to ori-ron, Aikido-Security, and nil340 Aikido-Security Aikido-Security
nil340 nil340
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module Moderate
CVE-2026-27116 was published for code.vikunja.io/api (Go) Feb 25, 2026
sudo0xksh Credited to sudo0xksh
Vikunja Vulnerable to XSS Via Task Preview High
CVE-2026-25935 was published for code.vikunja.io/api (Go) Feb 11, 2026
supercoolspy Credited to supercoolspy
ProTip! Advisories are also available from the GraphQL API