Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

355 advisories

Loading
Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization Moderate
CVE-2026-44311 was published for fabric (npm) Jun 12, 2026
Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig) Moderate
GHSA-6jq6-x4cx-qvcm was published for grumpydictator/firefly-iii (Composer) Jun 12, 2026
alanturing881 Credited to alanturing881
nebula-mesh: Newly-minted operator API key exposed in redirect URL (Referer, history, proxy logs) Moderate
CVE-2026-47768 was published for github.com/juev/nebula-mesh (Go) Jun 10, 2026
ak2k Credited to ak2k
A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow... High Unreviewed
CVE-2026-20245 was published Jun 5, 2026
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters Moderate
CVE-2026-44587 was published for carrierwave (RubyGems) May 27, 2026
snoopysecurity Credited to snoopysecurity and bilerden bilerden bilerden
CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS Moderate
CVE-2026-26028 was published for cryptpad (npm) May 26, 2026
ixSly Credited to ixSly
Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']` Low
CVE-2026-46637 was published for twig/cssinliner-extra (Composer) May 21, 2026
Twig: The `spaceless` filter implicitly marks its output as safe Low
CVE-2026-46628 was published for twig/twig (Composer) May 21, 2026
go-git: Improper single-quote escaping in go-git SSH transport Low
CVE-2026-45570 was published for github.com/go-git/go-git (Go) May 19, 2026
N0zoM1z0 Credited to N0zoM1z0 and hiddeco hiddeco hiddeco
HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft Moderate
CVE-2026-46496 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
trigerman Credited to trigerman
Apostrophe has stored XSS via javascript: URL in Image Widget Link High
CVE-2026-45011 was published for apostrophe (npm) May 14, 2026
MuhammadUwais Credited to MuhammadUwais
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution Critical
CVE-2026-45375 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
Revanth011 Credited to Revanth011
GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content Moderate
CVE-2026-44972 was published for guarddog (pip) May 11, 2026
bg0d-glitch Credited to bg0d-glitch
Hono has CSS Declaration Injection via Style Object Values in JSX SSR Moderate
CVE-2026-44458 was published for hono (npm) May 9, 2026
Gayang2902 Credited to Gayang2902
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) Critical
CVE-2026-44588 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl` Moderate
CVE-2026-44429 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
JosephDoUrden Credited to JosephDoUrden and rdimitrov rdimitrov rdimitrov
If a trusted template author were to write a <script> tag containing an empty 'type' attribute or... Moderate Unreviewed
CVE-2026-39826 was published May 7, 2026
Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers Moderate
GHSA-3v85-fqvh-7rxf was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering High
CVE-2026-46367 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
ericliu-12 Credited to ericliu-12
YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers High
CVE-2026-43939 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header High
CVE-2026-43938 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams Low
CVE-2026-42040 was published for axios (npm) May 5, 2026
August829 Credited to August829
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for... Low Unreviewed
CVE-2026-6019 was published Apr 22, 2026
PRSD detection denial of service Low Unreviewed
CVE-2026-33597 was published Apr 22, 2026
** UNSUPPORTED WHEN ASSIGNED ** An improper encoding or escaping vulnerability in the CGI program... Moderate Unreviewed
CVE-2026-6058 was published Apr 21, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database