GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,258
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,483
Swift
61
Unreviewed advisories
All unreviewed
5,000+
254 advisories
Filter by severity
ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover
High
CVE-2026-29192
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint
Critical
CVE-2026-29191
was published
for
github.com/zitadel/zitadel
(Go)
Mar 4, 2026
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint
Critical
CVE-2026-29183
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 4, 2026
osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List
Moderate
CVE-2026-28280
was published
for
github.com/jmpsec/osctrl
(Go)
Feb 28, 2026
Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure
High
CVE-2026-27616
was published
for
code.vikunja.io/api
(Go)
Feb 25, 2026
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module
Moderate
CVE-2026-27116
was published
for
code.vikunja.io/api
(Go)
Feb 25, 2026
New API has Potential XSS in its MarkdownRenderer component
High
CVE-2026-25802
was published
for
github.com/QuantumNous/new-api
(Go)
Feb 23, 2026
Grafana has a Cross-site Scripting issue
Moderate
CVE-2025-41117
was published
for
github.com/grafana/grafana
(Go)
Feb 12, 2026
Vikunja Vulnerable to XSS Via Task Preview
High
CVE-2026-25935
was published
for
code.vikunja.io/api
(Go)
Feb 11, 2026
Gogs vulnerable to Stored XSS via Mermaid diagrams
High
GHSA-26gq-grmh-6xm6
was published
for
gogs.io/gogs
(Go)
Feb 6, 2026
Mattermost Confluence plugin doesn't properly escape user-controlled display names in HTML template rendering
High
CVE-2025-13523
was published
for
github.com/mattermost/mattermost-plugin-confluence
(Go)
Feb 6, 2026
Navidrome has XSS via comment from song metadata
Moderate
CVE-2026-25578
was published
for
github.com/navidrome/navidrome
(Go)
Feb 4, 2026
Podinfo affected by Arbitrary File Upload that leads to Stored Cross-Site Scripting (XSS)
Low
CVE-2025-70849
was published
for
github.com/stefanprodan/podinfo
(Go)
Feb 3, 2026
Argo Workflows affected by stored XSS in the artifact directory listing
High
CVE-2026-23960
was published
for
github.com/argoproj/argo-workflows
(Go)
Jan 21, 2026
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
Low
CVE-2026-23847
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jan 21, 2026
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
Moderate
CVE-2026-22808
was published
for
github.com/fleetdm/fleet
(Go)
Jan 20, 2026
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload
Moderate
CVE-2026-23645
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jan 16, 2026
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
Moderate
CVE-2026-21483
was published
for
github.com/knadh/listmonk
(Go)
Jan 2, 2026
Duplicate Advisory: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type
Low
GHSA-p4f6-h8jj-vfvf
was published
for
github.com/mccutchen/go-httpbin
(Go)
Jan 2, 2026
•
withdrawn
Gitea vulnerable to Cross-site Scripting
Moderate
CVE-2025-68946
was published
for
code.gitea.io/gitea
(Go)
Dec 26, 2025
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text
Moderate
CVE-2025-68942
was published
for
code.gitea.io/gitea
(Go)
Dec 26, 2025
Libredesk has Improper Neutralization of HTML Tags in a Web Page
High
CVE-2025-68927
was published
for
github.com/abhinavxd/libredesk
(Go)
Dec 16, 2025
Algernon Cross-Site Scripting vulnerability
Moderate
CVE-2025-65754
was published
for
github.com/xyproto/algernon
(Go)
Dec 10, 2025
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login
High
CVE-2025-67495
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode
Moderate
CVE-2025-64716
was published
for
github.com/TecharoHQ/anubis
(Go)
Oct 30, 2025
ProTip!
Advisories are also available from the
GraphQL API