GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
4,482 advisories
FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header)
Moderate
GHSA-mmpx-jh39-wrv6
was published
for
github.com/gtsteffaniak/filebrowser
(Go)
May 7, 2026
Weblate vulnerable to XSS via crafted Markdown
Moderate
CVE-2026-44264
was published
for
weblate
(pip)
May 7, 2026
Kanidm: Stored HTML injection in "passkey-enrolment" partial via displayname → htmx-driven authenticated request forgery
Moderate
GHSA-gpxg-fx2g-qxj2
was published
for
kanidm
(Rust)
May 6, 2026
Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component
Moderate
CVE-2026-44245
was published
for
github.com/kyverno/policy-reporter-ui
(Go)
May 6, 2026
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content
High
CVE-2026-42557
was published
for
jupyterlab
(pip)
May 6, 2026
Flight has reflected XSS through an unvalidated JSONP callback in Flight::jsonp()
High
CVE-2026-42548
was published
for
flightphp/core
(Composer)
May 6, 2026
phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering
Moderate
GHSA-pqh6-8fxf-jx22
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS
Moderate
GHSA-whqh-9pq5-c7r3
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization
Moderate
GHSA-f5p7-2c9q-8896
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering
High
GHSA-9525-27vj-c8r8
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 6, 2026
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
Moderate
GHSA-fw8g-cg8f-9j28
was published
for
github.com/prometheus/prometheus
(Go)
May 5, 2026
ip-address has XSS in Address6 HTML-emitting methods
Moderate
CVE-2026-42338
was published
for
ip-address
(npm)
May 5, 2026
Grav is Vulnerable to Stored XSS via Tag Injection
High
CVE-2026-42611
was published
for
getgrav/grav
(Composer)
May 5, 2026
Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes
High
CVE-2026-42612
was published
for
getgrav/grav
(Composer)
May 5, 2026
Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel
Moderate
CVE-2026-42842
was published
for
getgrav/grav
(Composer)
May 5, 2026
Grav CMS vulnerable to stored XSS via Markdown media attribute() action
Moderate
CVE-2026-42841
was published
for
getgrav/grav
(Composer)
May 5, 2026
YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers
High
CVE-2026-43939
was published
for
YAFNET.Core
(NuGet)
May 5, 2026
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
High
CVE-2026-43938
was published
for
YAFNET.Core
(NuGet)
May 5, 2026
Fiber vulnerable to XSS in AutoFormat Content Negotiation
Moderate
CVE-2026-42554
was published
for
github.com/gofiber/fiber/v2
(Go)
May 5, 2026
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal
Moderate
CVE-2026-43878
was published
for
wwbn/avideo
(Composer)
May 5, 2026
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers
Moderate
CVE-2026-43876
was published
for
wwbn/avideo
(Composer)
May 5, 2026
@tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin
High
GHSA-g485-8j3v-p6x8
was published
for
@tdurieux/anonymous_github
(npm)
May 5, 2026
ProTip!
Advisories are also available from the
GraphQL API