Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,943
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

42,101 advisories

Loading
Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes High
CVE-2026-42612 was published for getgrav/grav (Composer) May 5, 2026
KC1zs4 Credited to KC1zs4
Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel Moderate
CVE-2026-42842 was published for getgrav/grav (Composer) May 5, 2026
cyabell Credited to cyabell
Grav CMS vulnerable to stored XSS via Markdown media attribute() action Moderate
CVE-2026-42841 was published for getgrav/grav (Composer) May 5, 2026
K-Czaplicki Credited to K-Czaplicki and morzelowski morzelowski morzelowski
YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers High
CVE-2026-43939 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header High
CVE-2026-43938 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
Fiber vulnerable to XSS in AutoFormat Content Negotiation Moderate
CVE-2026-42554 was published for github.com/gofiber/fiber/v2 (Go) May 5, 2026
wodzen Credited to wodzen, gaby, ReneWerner87, and sixcolors gaby gaby
ReneWerner87 ReneWerner87 sixcolors sixcolors
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal Moderate
CVE-2026-43878 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers Moderate
CVE-2026-43876 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template... Moderate Unreviewed
CVE-2026-38432 was published May 5, 2026
ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage. Moderate Unreviewed
CVE-2025-52206 was published May 5, 2026
@tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin High
GHSA-g485-8j3v-p6x8 was published for @tdurieux/anonymous_github (npm) May 5, 2026
jackfromeast Credited to jackfromeast and P3ngu1nW P3ngu1nW P3ngu1nW
AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows... Moderate Unreviewed
CVE-2023-54349 was published May 5, 2026
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting... Moderate Unreviewed
CVE-2026-5159 was published May 5, 2026
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via... High Unreviewed
CVE-2026-4803 was published May 5, 2026
The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via... Moderate Unreviewed
CVE-2026-4665 was published May 5, 2026
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored... Moderate Unreviewed
CVE-2026-5247 was published May 5, 2026
The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via... Moderate Unreviewed
CVE-2026-6255 was published May 5, 2026
The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ... Moderate Unreviewed
CVE-2026-6704 was published May 5, 2026
The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting... Moderate Unreviewed
CVE-2026-6696 was published May 5, 2026
The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ... Moderate Unreviewed
CVE-2026-5505 was published May 5, 2026
The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is... Moderate Unreviewed
CVE-2026-2868 was published May 5, 2026
The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for... Moderate Unreviewed
CVE-2026-4730 was published May 5, 2026
livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler High
GHSA-gxxh-8vcj-w2mh was published for mckenziearts/livewire-markdown-editor (Composer) May 4, 2026
wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog. Moderate Unreviewed
CVE-2026-38669 was published May 4, 2026
Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to... Moderate Unreviewed
CVE-2026-31205 was published May 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database