Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,698
Maven
5,000+
npm
4,325
NuGet
761
pip
4,099
Pub
12
RubyGems
958
Rust
1,063
Swift
45
Unreviewed advisories
All unreviewed
5,000+

139 advisories

Loading
Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors High
CVE-2025-66468 was published for aimeos/ai-cms-grapesjs (Composer) Dec 3, 2025
Magento DOM-based Cross-Site Scripting (XSS) vulnerability High
CVE-2024-39400 was published for magento/community-edition (Composer) Aug 14, 2024
Magento Stored Cross-Site Scripting (XSS) vulnerability High
CVE-2024-39403 was published for magento/community-edition (Composer) Aug 14, 2024
Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document High
CVE-2024-11954 was published for pimcore/pimcore (Composer) Jan 28, 2025
maeitsec
Credited to maeitsec
smarty Cross-site Scripting vulnerability in Javascript escaping High
CVE-2023-28447 was published for smarty/smarty (Composer) Mar 29, 2023
takaram
Credited to takaram
Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation High
CVE-2025-64112 was published for statamic/cms (Composer) Oct 30, 2025
wojtekchwala
Credited to wojtekchwala
Magento vulnerable to stored Cross-Site Scripting (XSS) High
CVE-2025-54264 was published for magento/community-edition (Composer) Oct 14, 2025
Bagisto is vulnerable to XSS through Admin Panel's product creation path High
CVE-2025-60880 was published for bagisto/bagisto (Composer) Oct 10, 2025
Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes High
CVE-2025-59839 was published for starcitizenwiki/embedvideo (Composer) Sep 24, 2025
SomeMWDev
Credited to SomeMWDev
Shopware: Reflective Cross Site-Scripting (XSS) in CMS components High
GHSA-9v82-vcjx-m76j was published for shopware/core (Composer) Sep 10, 2025
Magento Cross-site Scripting vulnerability High
CVE-2025-49557 was published for magento/community-edition (Composer) Aug 12, 2025
Citizen vulnerable to Stored XSS through short descriptions High
CVE-2025-53370 was published for starcitizentools/citizen-skin (Composer) Jul 3, 2025
SomeMWDev
Credited to SomeMWDev
starcitizentools/citizen-skin is vulnerable to Stored XSS attack in the legacy search bar through page descriptions High
CVE-2025-53368 was published for starcitizentools/citizen-skin (Composer) Jul 3, 2025
SomeMWDev
Credited to SomeMWDev
Citizen Short Description stored XSS vulnerability through wikitext High
CVE-2025-53369 was published for starcitizentools/short-description (Composer) Jul 3, 2025
SomeMWDev
Credited to SomeMWDev
TabberNeue vulnerable to Stored XSS through wikitext High
CVE-2025-53093 was published for starcitizentools/tabber-neue (Composer) Jun 27, 2025
SomeMWDev
Credited to SomeMWDev
Hax CMS Stored Cross-Site Scripting vulnerability High
CVE-2025-49137 was published for elmsln/haxcms (Composer) Jun 9, 2025
lfgberg asareynolds
Credited to lfgberg and asareynolds
PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file High
CVE-2024-56408 was published for phpoffice/phpexcel (Composer) Jan 3, 2025
zly123987
Credited to zly123987
YesWiki Vulnerable to Unauthenticated Reflected Cross-site Scripting High
CVE-2025-46349 was published for yeswiki/yeswiki (Composer) Apr 29, 2025
Browsershot does not validate URL protocols passed to Browsershot URL method High
CVE-2022-41706 was published for spatie/browsershot (Composer) Nov 25, 2022
tdunlap607
Credited to tdunlap607
phpMyAdmin allows remote attackers to spoof content via the url parameter High
CVE-2015-7873 was published for phpmyadmin/phpmyadmin (Composer) May 17, 2022
PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class High
CVE-2024-56365 was published for phpoffice/phpexcel (Composer) Jan 3, 2025
PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file High
CVE-2024-56366 was published for phpoffice/phpexcel (Composer) Jan 3, 2025
PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file High
CVE-2024-56409 was published for phpoffice/phpexcel (Composer) Jan 3, 2025
Magento Open Source allows Cross-Site Scripting (XSS) High
CVE-2024-20719 was published for magento/community-edition (Composer) Feb 15, 2024
Magento Open Source allows Stored Cross-Site Scripting (Stored XSS) High
CVE-2022-35698 was published for magento/community-edition (Composer) Oct 15, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database