Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
52
GitHub Actions
50
Go
3,721
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,943
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

42,101 advisories

Loading
FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header) Moderate
GHSA-mmpx-jh39-wrv6 was published for github.com/gtsteffaniak/filebrowser (Go) May 7, 2026
MuxiLyuLucy Credited to MuxiLyuLucy
Weblate vulnerable to XSS via crafted Markdown Moderate
CVE-2026-44264 was published for weblate (pip) May 7, 2026
nijel Credited to nijel
Kanidm: Stored HTML injection in "passkey-enrolment" partial via displayname → htmx-driven authenticated request forgery Moderate
GHSA-gpxg-fx2g-qxj2 was published for kanidm (Rust) May 6, 2026
mbarbero Credited to mbarbero
Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component Moderate
CVE-2026-44245 was published for github.com/kyverno/policy-reporter-ui (Go) May 6, 2026
r0binak Credited to r0binak
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content High
CVE-2026-42557 was published for jupyterlab (pip) May 6, 2026
fg0x0 Credited to fg0x0, krassowski, jtpio, and Yann-P krassowski krassowski
jtpio jtpio Yann-P Yann-P
Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp() High
CVE-2026-42548 was published for flightphp/core (Composer) May 6, 2026
Rootingg Credited to Rootingg
Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote... Moderate Unreviewed
CVE-2026-8012 was published May 6, 2026
Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a... Moderate Unreviewed
CVE-2026-7939 was published May 6, 2026
Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an... Moderate Unreviewed
CVE-2026-7958 was published May 6, 2026
phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering Moderate
GHSA-pqh6-8fxf-jx22 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
Doodi101 Credited to Doodi101
phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS Moderate
GHSA-whqh-9pq5-c7r3 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization Moderate
GHSA-f5p7-2c9q-8896 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
offset Credited to offset
phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering High
GHSA-9525-27vj-c8r8 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
ericliu-12 Credited to ericliu-12
Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute... Moderate Unreviewed
CVE-2026-36358 was published May 6, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')... Moderate Unreviewed
CVE-2026-42509 was published May 6, 2026
An authenticated (non-super) administrator can create a maintenance period with a JavaScript... High Unreviewed
CVE-2026-23926 was published May 6, 2026
The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute... High Unreviewed
CVE-2026-23928 was published May 6, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is... High Unreviewed
CVE-2026-7448 was published May 6, 2026
The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions... Moderate Unreviewed
CVE-2026-7457 was published May 6, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is... High Unreviewed
CVE-2026-7332 was published May 6, 2026
The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored... Moderate Unreviewed
CVE-2026-6672 was published May 6, 2026
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display Moderate
GHSA-fw8g-cg8f-9j28 was published for github.com/prometheus/prometheus (Go) May 5, 2026
iiihaiii Credited to iiihaiii and ngocnn97 ngocnn97 ngocnn97
ip-address has XSS in Address6 HTML-emitting methods Moderate
CVE-2026-42338 was published for ip-address (npm) May 5, 2026
scovetta Credited to scovetta
Grav is Vulnerable to Stored XSS via Tag Injection High
CVE-2026-42611 was published for getgrav/grav (Composer) May 5, 2026
KhanMarshaI Credited to KhanMarshaI
FluentCMS 1.2.3 is vulnerable to Cross Site Scripting (XSS) in TextHTML plugin. Moderate Unreviewed
CVE-2026-38947 was published May 5, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database