Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

37 advisories

Loading
Magento LTS: Reflected XSS - Import -> Data Flow (profiles) Moderate
CVE-2026-42458 was published for openmage/magento-lts (Composer) May 6, 2026
justlife4x4 Credited to justlife4x4
n8n Vulnerable to XSS via MCP OAuth client High
CVE-2026-42235 was published for n8n (npm) Apr 29, 2026
OscarBataille Credited to OscarBataille
DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload High
CVE-2026-40321 was published for DotNetNuke.Core (NuGet) Apr 10, 2026
bdukes Credited to bdukes, valadas, and mbadanoiu valadas valadas
mbadanoiu mbadanoiu
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable... Moderate Unreviewed
CVE-2025-14732 was published Apr 8, 2026
Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation... Moderate Unreviewed
CVE-2026-22711 was published Apr 7, 2026
YesWiki has Persistent Blind XSS at "/?BazaR&vue=consulter" High
CVE-2026-34598 was published for yeswiki/yeswiki (Composer) Apr 1, 2026
kh0kamoni Credited to kh0kamoni
Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster Moderate
CVE-2026-27120 was published for github.com/vapor/leaf-kit (Swift) Feb 19, 2026
bawolff Credited to bawolff, ptoffy, 0xTim, and gwynne ptoffy ptoffy
0xTim 0xTim gwynne gwynne
Contao is vulnerable to cross-site scripting in templates Low
CVE-2025-65961 was published for contao/core-bundle (Composer) Nov 25, 2025
ausi Credited to ausi and m-vo m-vo m-vo
bagisto has Cross Site Scripting (XSS) in Create New Customer Moderate
CVE-2025-62414 was published for bagisto/bagisto (Composer) Oct 16, 2025
kiwi865 Credited to kiwi865
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG) Moderate
CVE-2025-62418 was published for bagisto/bagisto (Composer) Oct 16, 2025
kiwi865 Credited to kiwi865
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML) Moderate
CVE-2025-62415 was published for bagisto/bagisto (Composer) Oct 16, 2025
kiwi865 Credited to kiwi865
The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's... Moderate Unreviewed
CVE-2025-8561 was published Oct 15, 2025
Node-SAML SAML Authentication Bypass Critical
CVE-2025-54369 was published for @node-saml/node-saml (npm) Jul 25, 2025
ahacker1-securesaml Credited to ahacker1-securesaml and cjbarth cjbarth cjbarth
Hax CMS Stored Cross-Site Scripting vulnerability High
CVE-2025-49137 was published for elmsln/haxcms (Composer) Jun 9, 2025
lfgberg Credited to lfgberg and asareynolds asareynolds asareynolds
Gokapi vulnerable to stored XSS via uploading file with malicious file name Moderate
CVE-2025-48494 was published for github.com/forceu/gokapi (Go) Jun 3, 2025
4rdr Credited to 4rdr and Forceu Forceu Forceu
Gokapi has stored XSS vulnerability in friendly name for API keys Moderate
CVE-2025-48495 was published for github.com/forceu/gokapi (Go) Jun 3, 2025
Forceu Credited to Forceu
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] Moderate
CVE-2025-27793 was published for vega (npm) Mar 27, 2025
FallingPineapples Credited to FallingPineapples, hydrosquall, and domoritz hydrosquall hydrosquall
domoritz domoritz
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross... Moderate Unreviewed
CVE-2024-8505 was published Oct 2, 2024
The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site... Moderate Unreviewed
CVE-2024-4459 was published Jun 6, 2024
The Opal Estate Pro – Property Management and Submission plugin for WordPress is vulnerable to... Moderate Unreviewed
CVE-2024-3666 was published May 22, 2024
The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting... Moderate Unreviewed
CVE-2024-3519 was published May 22, 2024
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site... Moderate Unreviewed
CVE-2024-2750 was published May 2, 2024
Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags High
CVE-2024-32463 was published for phlex (RubyGems) Apr 17, 2024
gregmolnar Credited to gregmolnar, joeldrapper, and willcosgrove joeldrapper joeldrapper
willcosgrove willcosgrove
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the... Moderate Unreviewed
CVE-2024-3162 was published Apr 3, 2024
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via... Moderate Unreviewed
CVE-2023-6446 was published Jan 11, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database