Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

253 advisories

Loading
SFTPGo has stored XSS via inline parameter on public shares and user file download Low
CVE-2026-49245 was published for github.com/drakkan/sftpgo/v2 (Go) Jul 2, 2026
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing High
CVE-2026-48788 was published for github.com/umputun/remark42 (Go) Jun 26, 2026
ildkh Credited to ildkh
Gogs's Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS Moderate
CVE-2026-52816 was published for gogs.io/gogs (Go) Jun 23, 2026
JLGitHub66 Credited to JLGitHub66
Gogs has DOM-based XSS via Milestone Name on New Issue Page High
CVE-2026-52807 was published for gogs.io/gogs (Go) Jun 23, 2026
Gogs has Stored XSS in `.ipynb` Preview High
CVE-2026-52798 was published for gogs.io/gogs (Go) Jun 22, 2026
odgrso Credited to odgrso
Hugo: XSS via unescaped code-fence language in default code block renderer Moderate
GHSA-q76j-gcg9-vxc6 was published for github.com/gohugoio/hugo (Go) Jun 19, 2026
k0ngj1 Credited to k0ngj1
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer High
CVE-2026-28737 was published for code.gitea.io/gitea (Go) Jun 17, 2026
yonatan-pl Credited to yonatan-pl
Hugo: XSS via text/html content files Moderate
CVE-2026-50133 was published for github.com/gohugoio/hugo (Go) Jun 16, 2026
jmooring Credited to jmooring
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation High
CVE-2026-45738 was published for github.com/argoproj/argo-cd (Go) May 19, 2026
kah-ja Credited to kah-ja
Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover High
CVE-2026-45627 was published for github.com/getarcaneapp/arcane/backend (Go) May 18, 2026
offset Credited to offset
Mattermost doesn't escape some variables that could contain malicious content during error page composition Low
CVE-2026-3495 was published for github.com/mattermost/mattermost-server (Go) May 18, 2026
podinfo: cross-site scripting vulnerability in the /echo and /api/echo endpoints Moderate
CVE-2026-43644 was published for github.com/stefanprodan/podinfo (Go) May 14, 2026
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution Critical
CVE-2026-45375 was published for github.com/siyuan-note/siyuan/kernel (Go) May 13, 2026
Revanth011 Credited to Revanth011
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) Critical
CVE-2026-44588 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
amwhoi Credited to amwhoi
MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl` Moderate
CVE-2026-44429 was published for github.com/modelcontextprotocol/registry (Go) May 8, 2026
JosephDoUrden Credited to JosephDoUrden and rdimitrov rdimitrov rdimitrov
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE Critical
CVE-2026-44670 was published for github.com/siyuan-note/siyuan/kernel (Go) May 8, 2026
amwhoi Credited to amwhoi
Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers Moderate
GHSA-3v85-fqvh-7rxf was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header) Moderate
GHSA-mmpx-jh39-wrv6 was published for github.com/gtsteffaniak/filebrowser (Go) May 7, 2026
MuxiLyuLucy Credited to MuxiLyuLucy
Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component Moderate
CVE-2026-44245 was published for github.com/kyverno/policy-reporter-ui (Go) May 6, 2026
r0binak Credited to r0binak
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display Moderate
CVE-2026-44903 was published for github.com/prometheus/prometheus (Go) May 5, 2026
iiihaiii Credited to iiihaiii and ngocnn97 ngocnn97 ngocnn97
Fiber vulnerable to XSS in AutoFormat Content Negotiation Moderate
CVE-2026-42554 was published for github.com/gofiber/fiber/v2 (Go) May 5, 2026
wodzen Credited to wodzen, gaby, ReneWerner87, and sixcolors gaby gaby
ReneWerner87 ReneWerner87 sixcolors sixcolors
goldmark vulnerable to Cross-site Scripting (XSS) Moderate
CVE-2026-5160 was published for github.com/yuin/goldmark/renderer/html (Go) Apr 17, 2026
zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering Moderate
CVE-2026-40302 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
SiYuan has incomplete fix for CVE-2026-33066: XSS Moderate
CVE-2026-40922 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 14, 2026
Note Mark has Stored XSS via Unrestricted Asset Upload High
CVE-2026-40262 was published for github.com/enchant97/note-mark/backend (Go) Apr 13, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, and enchant97 Across-Verticals-Malaysia Across-Verticals-Malaysia
enchant97 enchant97
ProTip! Advisories are also available from the GraphQL API