Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,943
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

769 advisories

Loading
ip-address has XSS in Address6 HTML-emitting methods Moderate
CVE-2026-42338 was published for ip-address (npm) May 5, 2026
scovetta Credited to scovetta
@tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin High
GHSA-g485-8j3v-p6x8 was published for @tdurieux/anonymous_github (npm) May 5, 2026
jackfromeast Credited to jackfromeast and P3ngu1nW P3ngu1nW P3ngu1nW
@diplodoc/search-extension allows stored XSS via Markdown file title Moderate
CVE-2026-40201 was published for @diplodoc/search-extension (npm) May 1, 2026
Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS High
CVE-2026-40171 was published for @jupyter-notebook/help-extension (npm) Apr 30, 2026
dtrops Credited to dtrops, Carreau, Yann-P, krassowski, and jtpio Carreau Carreau
Yann-P Yann-P krassowski krassowski jtpio jtpio
CyberChef has a Cross-site Scripting issue High
CVE-2026-42615 was published for cyberchef (npm) Apr 29, 2026
Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering) Moderate
GHSA-39h7-pwv7-rc3x was published for @excalidraw/excalidraw (npm) Apr 24, 2026
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output Moderate
CVE-2026-41305 was published for postcss (npm) Apr 24, 2026
TharVid Credited to TharVid
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor High
CVE-2026-41886 was published for locize (npm) Apr 22, 2026
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header High
CVE-2026-41683 was published for i18next-http-middleware (npm) Apr 22, 2026
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping Moderate
CVE-2026-41591 was published for @marko/runtime-tags (npm) Apr 22, 2026
k0w4lzk1 Credited to k0w4lzk1
i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes Moderate
CVE-2026-41692 was published for i18nextify (npm) Apr 22, 2026
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) Moderate
CVE-2026-41240 was published for dompurify (npm) Apr 22, 2026
kodareef5 Credited to kodareef5
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode Moderate
CVE-2026-41239 was published for dompurify (npm) Apr 22, 2026
bencalif Credited to bencalif
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback Moderate
CVE-2026-41238 was published for dompurify (npm) Apr 22, 2026
trace37labs Credited to trace37labs
Astro: XSS in define:vars via incomplete </script> tag sanitization Moderate
CVE-2026-41067 was published for astro (npm) Apr 21, 2026
offset Credited to offset
Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization Moderate
GHSA-fpw4-p57j-hqmq was published for @paperclipai/ui (npm) Apr 16, 2026
offset Credited to offset
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements Moderate
CVE-2026-40186 was published for sanitize-html (npm) Apr 16, 2026
offset Credited to offset
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS High
CVE-2026-35569 was published for apostrophe (npm) Apr 16, 2026
Chittu13 Credited to Chittu13
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context Moderate
CVE-2026-33889 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR Moderate
GHSA-458j-xx4x-4375 was published for hono (npm) Apr 16, 2026
tndud042713 Credited to tndud042713
Novu has a XSS sanitization bypass High
GHSA-26wg-9xf2-q495 was published for novu/api (npm) Apr 14, 2026
JorianWoltjer Credited to JorianWoltjer
DbGate has cross site scripting via the SVG Icon String Handler component Low
CVE-2026-6216 was published for dbgate-web (npm) Apr 13, 2026
unhead: Streaming SSR `streamKey` injected into inline script without identifier validation Low
GHSA-x7mm-9vvv-64w8 was published for unhead (npm) Apr 10, 2026
Jvr2022 Credited to Jvr2022
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()` Low
GHSA-ccgf-5rwj-j3hv was published for telejson (npm) Apr 2, 2026
Niccolo10 Credited to Niccolo10
dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration High
CVE-2026-34725 was published for dbgate-web (npm) Apr 1, 2026
ngocnn97 Credited to ngocnn97
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database