GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
364 advisories
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Moderate
CVE-2026-41591
was published
for
@marko/runtime-tags
(npm)
Apr 22, 2026
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
Moderate
CVE-2026-41240
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Moderate
CVE-2026-41239
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Moderate
CVE-2026-41238
was published
for
dompurify
(npm)
Apr 22, 2026
Astro: XSS in define:vars via incomplete </script> tag sanitization
Moderate
CVE-2026-41067
was published
for
astro
(npm)
Apr 21, 2026
Cross-site Scripting (XSS) in serialize-javascript
Moderate
CVE-2024-11831
was published
for
serialize-javascript
(npm)
Feb 10, 2025
Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization
Moderate
GHSA-fpw4-p57j-hqmq
was published
for
@paperclipai/ui
(npm)
Apr 16, 2026
sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
Moderate
CVE-2026-40186
was published
for
sanitize-html
(npm)
Apr 16, 2026
Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
High
CVE-2026-35569
was published
for
apostrophe
(npm)
Apr 16, 2026
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context
Moderate
CVE-2026-33889
was published
for
apostrophe
(npm)
Apr 16, 2026
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
Moderate
GHSA-458j-xx4x-4375
was published
for
hono
(npm)
Apr 16, 2026
Novu has a XSS sanitization bypass
High
GHSA-26wg-9xf2-q495
was published
for
novu/api
(npm)
Apr 14, 2026
unhead: Streaming SSR `streamKey` injected into inline script without identifier validation
Low
GHSA-x7mm-9vvv-64w8
was published
for
unhead
(npm)
Apr 10, 2026
dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
High
CVE-2026-34725
was published
for
dbgate-web
(npm)
Apr 1, 2026
n8n has XSS in Chat Trigger Node through Custom CSS
Moderate
GHSA-3c7f-5hgj-h279
was published
for
n8n
(npm)
Mar 27, 2026
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
Low
GHSA-ccgf-5rwj-j3hv
was published
for
telejson
(npm)
Apr 2, 2026
ProTip!
Advisories are also available from the
GraphQL API