GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,236
Maven
5,000+
npm
5,000+
NuGet
1,028
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,460
Swift
61
Unreviewed advisories
All unreviewed
5,000+
253 advisories
Filter by severity
SFTPGo has stored XSS via inline parameter on public shares and user file download
Low
CVE-2026-49245
was published
for
github.com/drakkan/sftpgo/v2
(Go)
Jul 2, 2026
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
High
CVE-2026-48788
was published
for
github.com/umputun/remark42
(Go)
Jun 26, 2026
Gogs's Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS
Moderate
CVE-2026-52816
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
Gogs has DOM-based XSS via Milestone Name on New Issue Page
High
CVE-2026-52807
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
Gogs has Stored XSS in `.ipynb` Preview
High
CVE-2026-52798
was published
for
gogs.io/gogs
(Go)
Jun 22, 2026
Hugo: XSS via unescaped code-fence language in default code block renderer
Moderate
GHSA-q76j-gcg9-vxc6
was published
for
github.com/gohugoio/hugo
(Go)
Jun 19, 2026
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer
High
CVE-2026-28737
was published
for
code.gitea.io/gitea
(Go)
Jun 17, 2026
Hugo: XSS via text/html content files
Moderate
CVE-2026-50133
was published
for
github.com/gohugoio/hugo
(Go)
Jun 16, 2026
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
High
CVE-2026-45738
was published
for
github.com/argoproj/argo-cd
(Go)
May 19, 2026
Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover
High
CVE-2026-45627
was published
for
github.com/getarcaneapp/arcane/backend
(Go)
May 18, 2026
Mattermost doesn't escape some variables that could contain malicious content during error page composition
Low
CVE-2026-3495
was published
for
github.com/mattermost/mattermost-server
(Go)
May 18, 2026
podinfo: cross-site scripting vulnerability in the /echo and /api/echo endpoints
Moderate
CVE-2026-43644
was published
for
github.com/stefanprodan/podinfo
(Go)
May 14, 2026
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
Critical
CVE-2026-45375
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
May 13, 2026
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585)
Critical
CVE-2026-44588
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
May 8, 2026
MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl`
Moderate
CVE-2026-44429
was published
for
github.com/modelcontextprotocol/registry
(Go)
May 8, 2026
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE
Critical
CVE-2026-44670
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
May 8, 2026
Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers
Moderate
GHSA-3v85-fqvh-7rxf
was published
for
github.com/lin-snow/Ech0
(Go)
May 7, 2026
FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header)
Moderate
GHSA-mmpx-jh39-wrv6
was published
for
github.com/gtsteffaniak/filebrowser
(Go)
May 7, 2026
Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component
Moderate
CVE-2026-44245
was published
for
github.com/kyverno/policy-reporter-ui
(Go)
May 6, 2026
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
Moderate
CVE-2026-44903
was published
for
github.com/prometheus/prometheus
(Go)
May 5, 2026
Fiber vulnerable to XSS in AutoFormat Content Negotiation
Moderate
CVE-2026-42554
was published
for
github.com/gofiber/fiber/v2
(Go)
May 5, 2026
goldmark vulnerable to Cross-site Scripting (XSS)
Moderate
CVE-2026-5160
was published
for
github.com/yuin/goldmark/renderer/html
(Go)
Apr 17, 2026
zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering
Moderate
CVE-2026-40302
was published
for
github.com/openziti/zrok
(Go)
Apr 16, 2026
SiYuan has incomplete fix for CVE-2026-33066: XSS
Moderate
CVE-2026-40922
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Apr 14, 2026
Note Mark has Stored XSS via Unrestricted Asset Upload
High
CVE-2026-40262
was published
for
github.com/enchant97/note-mark/backend
(Go)
Apr 13, 2026
ProTip!
Advisories are also available from the
GraphQL API