Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,193
Erlang
25
GitHub Actions
39
Go
2,385
Maven
3,027
npm
3,078
NuGet
529
pip
2,897
Pub
5
RubyGems
442
Rust
905
Swift
20
Unreviewed advisories
All unreviewed
5,000+

2,299 advisories

Loading
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender Moderate
GHSA-ffq5-qpvf-xq7x was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
justhtml has sanitization bypass in custom policies and programmatic DOM Moderate
GHSA-vrx2-77f2-ww34 was published for justhtml (pip) Apr 22, 2026
EmilStenstrom Credited to EmilStenstrom
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor High
GHSA-w937-fg2h-xhq2 was published for locize (npm) Apr 22, 2026
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header High
CVE-2026-41683 was published for i18next-http-middleware (npm) Apr 22, 2026
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping Moderate
CVE-2026-41591 was published for @marko/runtime-tags (npm) Apr 22, 2026
k0w4lzk1 Credited to k0w4lzk1
i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes Moderate
GHSA-6457-mxpq-4fqq was published for i18nextify (npm) Apr 22, 2026
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) Moderate
CVE-2026-41240 was published for dompurify (npm) Apr 22, 2026
kodareef5 Credited to kodareef5
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode Moderate
CVE-2026-41239 was published for dompurify (npm) Apr 22, 2026
bencalif Credited to bencalif
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback Moderate
CVE-2026-41238 was published for dompurify (npm) Apr 22, 2026
trace37labs Credited to trace37labs
CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS Moderate
CVE-2026-41201 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
bugmithlegend Credited to bugmithlegend and DexterHK DexterHK DexterHK
Astro: XSS in define:vars via incomplete </script> tag sanitization Moderate
CVE-2026-41067 was published for astro (npm) Apr 21, 2026
offset Credited to offset
October CMS: Reflected XSS via DataTable Form Widget Low
CVE-2026-27937 was published for october/system (Composer) Apr 21, 2026
daftspunk Credited to daftspunk
pretalx vulnerable to stored cross-site scripting in organizer search typeahead High
GHSA-cjcx-jfp2-f7m2 was published for pretalx (pip) Apr 18, 2026
pretalx mail templates vulnerable to email injection via unescaped user-controlled placeholders Moderate
GHSA-jm8c-9f3j-4378 was published for pretalx (pip) Apr 18, 2026
markfijneman Credited to markfijneman
goldmark vulnerable to Cross-site Scripting (XSS) Moderate
CVE-2026-5160 was published for github.com/yuin/goldmark/renderer/html (Go) Apr 17, 2026
Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization Moderate
GHSA-fpw4-p57j-hqmq was published for @paperclipai/ui (npm) Apr 16, 2026
offset Credited to offset
zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering Moderate
CVE-2026-40302 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements Moderate
CVE-2026-40186 was published for sanitize-html (npm) Apr 16, 2026
offset Credited to offset
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS High
CVE-2026-35569 was published for apostrophe (npm) Apr 16, 2026
Chittu13 Credited to Chittu13
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context Moderate
CVE-2026-33889 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
wger has Stored XSS via Unescaped License Attribution Fields Moderate
CVE-2026-40353 was published for wger (pip) Apr 16, 2026
0xkakash1 Credited to 0xkakash1
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR Moderate
GHSA-458j-xx4x-4375 was published for hono (npm) Apr 16, 2026
tndud042713 Credited to tndud042713
Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget Moderate
CVE-2026-40479 was published for kimai/kimai (Composer) Apr 15, 2026
WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS Moderate
GHSA-m7r8-6q9j-m2hc was published for wwbn/avideo (Composer) Apr 14, 2026
Novu has a XSS sanitization bypass High
GHSA-26wg-9xf2-q495 was published for novu/api (npm) Apr 14, 2026
JorianWoltjer Credited to JorianWoltjer
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database