Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

444 advisories

Loading
Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS High
CVE-2026-40171 was published for @jupyter-notebook/help-extension (npm) Apr 30, 2026
dtrops Credited to dtrops, Carreau, Yann-P, krassowski, and jtpio Carreau Carreau
Yann-P Yann-P krassowski krassowski jtpio jtpio
beets has a Cross-site Scripting vulnerability Moderate
CVE-2026-42052 was published for beets (pip) Apr 29, 2026
FORIMOC Credited to FORIMOC and Yuremin Yuremin Yuremin
pretalx mail templates vulnerable to email injection via unescaped user-controlled placeholders Moderate
CVE-2026-41426 was published for pretalx (pip) Apr 18, 2026
markfijneman Credited to markfijneman
pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters High
CVE-2025-61773 was published for pyload-ng (pip) Oct 9, 2025
odaysec Credited to odaysec
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface Moderate
CVE-2026-33865 was published for mlflow (pip) Apr 7, 2026
pretalx vulnerable to stored cross-site scripting in organizer search typeahead High
CVE-2026-41241 was published for pretalx (pip) Apr 18, 2026
wger has Stored XSS via Unescaped License Attribution Fields Moderate
CVE-2026-40353 was published for wger (pip) Apr 16, 2026
0xkakash1 Credited to 0xkakash1
wlc: print_html outputs API data without HTML escaping Moderate
GHSA-gx2m-mcc2-r4p3 was published for wlc (pip) Apr 24, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
XSS Vulnerability in Markdown Editor High
GHSA-85q9-7467-r53q was published for inventree (pip) Jun 17, 2022
Gaurav-G2 Credited to Gaurav-G2 and brawlingthebits brawlingthebits brawlingthebits
justhtml has sanitization bypass in custom policies and programmatic DOM Moderate
GHSA-vrx2-77f2-ww34 was published for justhtml (pip) Apr 22, 2026
EmilStenstrom Credited to EmilStenstrom
justhtml includes multiple security fixes Moderate
GHSA-c9vm-hv86-f23r was published for justhtml (pip) Apr 10, 2026
EmilStenstrom Credited to EmilStenstrom
Multiple security fixes in justhtml Low
GHSA-4p64-v8f5-r2gx was published for justhtml (pip) Apr 14, 2026
EmilStenstrom Credited to EmilStenstrom
parisneo/lollms vulnerable to stored XSS in the social feature Critical
CVE-2026-1115 was published for lollms (pip) Apr 10, 2026
PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency) Moderate
CVE-2026-40112 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
justhtml: Mutation XSS with custom foreign-namespace sanitization policies Low
GHSA-r758-8hxw-4845 was published for justhtml (pip) Apr 8, 2026
EmilStenstrom Credited to EmilStenstrom
D-Tale: Remote Code Execution through redis/shelf storage Moderate
CVE-2026-35052 was published for dtale (pip) Apr 3, 2026
QiaoNPC Credited to QiaoNPC
Slippers Vulnerable to Cross-Site Scripting (XSS) in `attrs` Template Tag Moderate
CVE-2026-34231 was published for slippers (pip) Mar 30, 2026
evansd Credited to evansd
Home Assistant has stored XSS in history-graphs Low
CVE-2026-33045 was published for homeassistant (pip) Mar 27, 2026
pwnpanda Credited to pwnpanda
Home Assistant has stored XSS in Map-card through malicious device name Low
CVE-2026-33044 was published for homeassistant (pip) Mar 27, 2026
pwnpanda Credited to pwnpanda
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name High
CVE-2025-62172 was published for homeassistant (pip) Oct 14, 2025
pwnpanda Credited to pwnpanda
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk Moderate
CVE-2026-33230 was published for nltk (pip) Mar 18, 2026
leduckhuong Credited to leduckhuong
JustHTML is vulnerable to XSS via code fence breakout in <pre> content High
GHSA-5vp3-3cg6-2rq3 was published for justhtml (pip) Mar 24, 2026
AlfinJ0se Credited to AlfinJ0se
Label Studio vulnerable to Cross-site Scripting if `<Choices>` or `<Labels>` are used in labeling config Moderate
CVE-2024-26152 was published for label-studio (pip) Feb 22, 2024
isacaya Credited to isacaya
Docassemble HTML and javascript injection Moderate
CVE-2024-27290 was published for docassemble.webapp (pip) Feb 29, 2024
richighimi Credited to richighimi
Potentially untrusted input is rendered as HTML in final output High
CVE-2024-26151 was published for mjml (pip) Feb 22, 2024
sh-at-cs Credited to sh-at-cs
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database