Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

440 advisories

Loading
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` Critical
CVE-2026-44990 was published for sanitize-html (npm) May 14, 2026
sushi-gif Credited to sushi-gif, arkon, Matsuuu, AND-TomHarris, and scotje arkon arkon
Matsuuu Matsuuu AND-TomHarris AND-TomHarris scotje scotje
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution Critical
CVE-2026-45375 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
Revanth011 Credited to Revanth011
Affected devices do not properly validate and sanitize Technology Object (TO) name rendered on... Critical Unreviewed
CVE-2026-25787 was published May 12, 2026
Affected devices do not properly validate and sanitize PLC/station name rendered on the ... Critical Unreviewed
CVE-2026-25786 was published May 12, 2026
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) Critical
CVE-2026-44588 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
PrestaShop has a stored XSS executable in customer service view Critical
CVE-2026-44212 was published for prestashop/prestashop (Composer) May 8, 2026
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE Critical
CVE-2026-44670 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Improper neutralization of input during web page generation ('cross-site scripting')... Critical Unreviewed
CVE-2025-14320 was published May 4, 2026
Jenkins GitHub Plugin has an XSS vulnerability Critical
CVE-2026-42523 was published for org.jenkins-ci.plugins:git (Maven) Apr 29, 2026
A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and... Critical Unreviewed
CVE-2026-40470 was published Apr 23, 2026
In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href... Critical Unreviewed
CVE-2026-40472 was published Apr 23, 2026
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting... Critical Unreviewed
CVE-2026-27243 was published Apr 14, 2026
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting... Critical Unreviewed
CVE-2026-27246 was published Apr 14, 2026
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting... Critical Unreviewed
CVE-2026-27245 was published Apr 14, 2026
Decidim has a cross-site scripting (XSS) in user name Critical
CVE-2026-23891 was published for decidim-core (RubyGems) Apr 13, 2026
cyberschnaps Credited to cyberschnaps
A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and... Critical Unreviewed
CVE-2026-31845 was published Apr 11, 2026
parisneo/lollms vulnerable to stored XSS in the social feature Critical
CVE-2026-1115 was published for lollms (pip) Apr 10, 2026
SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions Critical
CVE-2026-39846 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 8, 2026
ngocnn97 Credited to ngocnn97
Improper neutralization of input during web page generation ('cross-site scripting')... Critical Unreviewed
CVE-2026-39933 was published Apr 8, 2026
CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS Critical
CVE-2026-35035 was published for ci4-cms-erp/ci4ms (Composer) Apr 6, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34989 was published for ci4-cms-erp/ci4ms (Composer) Apr 3, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise Critical
CVE-2026-34571 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
LAW6ZX7 Credited to LAW6ZX7 and bugmithlegend bugmithlegend bugmithlegend
CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34569 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34568 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34567 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database