Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

41,948 advisories

Loading
CyberPanel versions prior to 2.4.4 contain a stored cross-site scripting vulnerability in the AI... Moderate Unreviewed
CVE-2026-41472 was published Apr 24, 2026
wlc: print_html outputs API data without HTML escaping Moderate
GHSA-gx2m-mcc2-r4p3 was published for wlc (pip) Apr 24, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering) Moderate
GHSA-39h7-pwv7-rc3x was published for @excalidraw/excalidraw (npm) Apr 24, 2026
Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via... Moderate Unreviewed
CVE-2025-61872 was published Apr 24, 2026
Cross Site Scripting vulnerability in Hostbill v.2025-11-24 and 2025-12-01 allows a remote... Moderate Unreviewed
CVE-2026-31050 was published Apr 24, 2026
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output Moderate
CVE-2026-41305 was published for postcss (npm) Apr 24, 2026
TharVid Credited to TharVid
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in... Moderate Unreviewed
CVE-2026-41043 was published Apr 24, 2026
AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated... Low Unreviewed
CVE-2026-4313 was published Apr 24, 2026
The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple... Moderate Unreviewed
CVE-2026-4078 was published Apr 24, 2026
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via... Moderate Unreviewed
CVE-2026-5428 was published Apr 24, 2026
In hackage-server, user-controlled metadata from .cabal files are rendered into HTML href... Critical Unreviewed
CVE-2026-40472 was published Apr 23, 2026
A critical XSS vulnerability affected hackage-server and hackage.haskell.org. HTML and... Critical Unreviewed
CVE-2026-40470 was published Apr 23, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')... Moderate Unreviewed
CVE-2025-62110 was published Apr 23, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')... Moderate Unreviewed
CVE-2026-28040 was published Apr 23, 2026
The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key... Low Unreviewed
CVE-2026-4512 was published Apr 23, 2026
The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ... Moderate Unreviewed
CVE-2026-3361 was published Apr 23, 2026
The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site... Moderate Unreviewed
CVE-2026-1923 was published Apr 23, 2026
The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is... Moderate Unreviewed
CVE-2026-2951 was published Apr 23, 2026
IBM Guardium Data Protection 12.1 is vulnerable to cross-site scripting. This vulnerability... Moderate Unreviewed
CVE-2026-4919 was published Apr 23, 2026
IBM Guardium Data Protection 12.1 is vulnerable to stored cross-site scripting. This... Moderate Unreviewed
CVE-2026-4918 was published Apr 23, 2026
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender Moderate
GHSA-ffq5-qpvf-xq7x was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
An authenticated attacker can persist crafted values in multiple field types and trigger client... Moderate Unreviewed
CVE-2026-3837 was published Apr 22, 2026
An authenticated attacker can store a crafted tag value in _user_tags and trigger JavaScript... Moderate Unreviewed
CVE-2026-3673 was published Apr 22, 2026
The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style'... Moderate Unreviewed
CVE-2026-3998 was published Apr 22, 2026
The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the... Moderate Unreviewed
CVE-2026-4005 was published Apr 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database