Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

793 advisories

Loading
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS Moderate
CVE-2026-44644 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS Moderate
CVE-2026-26028 was published for cryptpad (npm) May 26, 2026
ixSly Credited to ixSly
Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers Moderate
CVE-2026-39964 was published for @typebot.io/js (npm) May 26, 2026
morimori-dev Credited to morimori-dev
Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview High
CVE-2026-28445 was published for @typebot.io/js (npm) May 26, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL Moderate
CVE-2026-46547 was published for nocodb (npm) May 21, 2026
naoyashiga Credited to naoyashiga
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` Critical
CVE-2026-44990 was published for sanitize-html (npm) May 14, 2026
sushi-gif Credited to sushi-gif, arkon, Matsuuu, AND-TomHarris, and scotje arkon arkon
Matsuuu Matsuuu AND-TomHarris AND-TomHarris scotje scotje
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()` Low
CVE-2026-47099 was published for telejson (npm) Apr 2, 2026
Niccolo10 Credited to Niccolo10
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning Low
CVE-2026-46342 was published for @nuxt/nitro-server (npm) May 19, 2026
fancymalware Credited to fancymalware
Budibase: Unrestricted Upload of File with Dangerous Type High
CVE-2026-46426 was published for budibase (npm) May 19, 2026
da7om85 Credited to da7om85
Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order High
CVE-2026-45665 was published for open-webui (npm) May 14, 2026
POV9en Credited to POV9en
HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack High
CVE-2026-46511 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
trigerman Credited to trigerman
Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover High
CVE-2026-46396 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
trigerman Credited to trigerman
HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft Moderate
CVE-2026-46496 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
trigerman Credited to trigerman
Sveltia CMS: Stored XSS in entry summary rendering via entity-decoded HTML Low
GHSA-97r8-rf7q-wmjw was published for @sveltia/cms (npm) May 18, 2026
blacksolo1 Credited to blacksolo1
open-webui Vulnerable to Stored XSS via Model Description High
CVE-2026-44721 was published for open-webui (npm) May 8, 2026
fr0stydev Credited to fr0stydev and Classic298 Classic298 Classic298
Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces Moderate
CVE-2026-44581 was published for next (npm) May 11, 2026
Astro: Server island encrypted parameters vulnerable to cross-component replay Low
CVE-2026-45028 was published for astro (npm) May 13, 2026
Popax21 Credited to Popax21
Next.js has cross-site scripting in beforeInteractive scripts with untrusted input Moderate
CVE-2026-44580 was published for next (npm) May 11, 2026
Svelte: SSR XSS via Insecure Promise Serialization in hydratable Moderate
GHSA-f3cj-j4f6-wq85 was published for svelte (npm) May 14, 2026
dummdidumm Credited to dummdidumm and elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State Moderate
CVE-2026-42573 was published for svelte (npm) May 14, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and dummdidumm dummdidumm dummdidumm
Svelte SSR vulnerable to cross-site scripting via spread attributes Moderate
CVE-2026-42599 was published for svelte (npm) May 14, 2026
dummdidumm Credited to dummdidumm and elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github
Apostrophe has stored XSS via javascript: URL in Image Widget Link High
CVE-2026-45011 was published for apostrophe (npm) May 14, 2026
MuhammadUwais Credited to MuhammadUwais
ip-address has XSS in Address6 HTML-emitting methods Moderate
CVE-2026-42338 was published for ip-address (npm) May 5, 2026
scovetta Credited to scovetta
LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution Moderate
CVE-2026-42045 was published for @lobehub/lobehub (npm) May 5, 2026
Hpd0ger Credited to Hpd0ger and aftern00n aftern00n aftern00n
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor High
CVE-2026-41886 was published for locize (npm) Apr 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database