GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
653 advisories
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink
High
CVE-2025-59430
was published
for
@meshconnect/web-link-sdk
(npm)
Sep 22, 2025
Mailgen: HTML injection vulnerability in plaintext e-mails
Moderate
CVE-2025-59526
was published
for
mailgen
(npm)
Sep 22, 2025
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
Moderate
CVE-2025-59417
was published
for
@lobehub/chat
(npm)
Sep 18, 2025
Stored XSS in n8n LangChain Chat Trigger Node via initialMessages Parameter
Moderate
CVE-2025-58177
was published
for
n8n
(npm)
Sep 15, 2025
jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin
Moderate
CVE-2025-9910
was published
for
jsondiffpatch
(npm)
Sep 11, 2025
Decap CMS Cross Site Scripting (XSS) vulnerability
Moderate
CVE-2025-57520
was published
for
decap-cms
(npm)
Sep 10, 2025
Webrecorder packages are vulnerable to XSS through 404 error handling logic
High
CVE-2025-58765
was published
for
@webrecorder/archivewebpage
(npm)
Sep 10, 2025
MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server
High
CVE-2025-58444
was published
for
@modelcontextprotocol/inspector
(npm)
Sep 8, 2025
Mermaid improperly sanitizes sequence diagram labels leading to XSS
Moderate
CVE-2025-54881
was published
for
mermaid
(npm)
Aug 19, 2025
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
Moderate
CVE-2025-54880
was published
for
mermaid
(npm)
Aug 19, 2025
Astro allows unauthorized third-party images in _image endpoint
Moderate
CVE-2025-55303
was published
for
@astrojs/node
(npm)
Aug 19, 2025
Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source
High
CVE-2025-52478
was published
for
n8n
(npm)
Aug 19, 2025
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js
Moderate
CVE-2025-9096
was published
for
express-gateway
(npm)
Aug 18, 2025
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js
Moderate
CVE-2025-9095
was published
for
express-gateway
(npm)
Aug 18, 2025
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
High
CVE-2025-54128
was published
for
@haxtheweb/haxcms-nodejs
(npm)
Jul 21, 2025
Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering
High
CVE-2025-54075
was published
for
@nuxtjs/mdc
(npm)
Jul 20, 2025
vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes
Moderate
CVE-2025-53892
was published
for
@intlify/core
(npm)
Jul 16, 2025
@pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation
Moderate
CVE-2025-53626
was published
for
@pdfme/common
(npm)
Jul 10, 2025
OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer
Moderate
CVE-2025-50183
was published
for
@openlist-frontend/openlist-frontend
(npm)
Jun 18, 2025
Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components
Moderate
CVE-2025-1647
was published
for
bootstrap
(npm)
May 15, 2025
ProTip!
Advisories are also available from the
GraphQL API