Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,662
Maven
5,000+
npm
4,289
NuGet
760
pip
4,069
Pub
12
RubyGems
957
Rust
1,057
Swift
45
Unreviewed advisories
All unreviewed
5,000+

129 advisories

Loading
Astro vulnerable to reflected XSS via the server islands feature High
CVE-2025-64764 was published for astro (npm) Nov 19, 2025
cold-try
Credited to cold-try
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE High
CVE-2025-64495 was published for open-webui (npm) Nov 7, 2025
gg0h
Credited to gg0h
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable High
CVE-2025-59840 was published for vega (npm) Nov 13, 2025
nickcopi hydrosquall
domoritz jeramysoucy lsh kachkaev
Credited to nickcopi, hydrosquall, domoritz, jeramysoucy, lsh, and kachkaev
DOMpurify has a nesting-based mXSS High
CVE-2024-47875 was published for dompurify (npm) Oct 11, 2024
bastien-roucaries eslerm
Credited to bastien-roucaries and eslerm
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS High
CVE-2025-59837 was published for astro (npm) Oct 28, 2025
everping GeneralZero
Credited to everping and GeneralZero
Cross-site Scripting (XSS) in @scullyio/scully High
CVE-2020-28470 was published for @scullyio/ng-lib (npm) Apr 13, 2021
Duplicate Advisory: Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel High
GHSA-7rgr-72hp-9wp3 was published for flowise (npm) Oct 6, 2025 withdrawn
Duplicate Advisory: Flowise Stored XSS vulnerability through logs in chatbot High
GHSA-wq95-wr7m-26h4 was published for flowise (npm) Oct 6, 2025 withdrawn
MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server High
CVE-2025-58444 was published for @modelcontextprotocol/inspector (npm) Sep 8, 2025
cai0duque
Credited to cai0duque
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink High
CVE-2025-59430 was published for @meshconnect/web-link-sdk (npm) Sep 22, 2025
aptos-security zwxxb
zi0Black
Credited to aptos-security, zwxxb, and zi0Black
Webrecorder packages are vulnerable to XSS through 404 error handling logic High
CVE-2025-58765 was published for @webrecorder/archivewebpage (npm) Sep 10, 2025
Dedal0
Credited to Dedal0
N8N's Chat Trigger component is vulnerable to XSS High
CVE-2025-56265 was published for @n8n/n8n-nodes-langchain (npm) Sep 8, 2025
NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue High
CVE-2023-49781 was published for nocodb (npm) May 13, 2024
zpbrent
Credited to zpbrent
Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source High
CVE-2025-52478 was published for n8n (npm) Aug 19, 2025
dana-gill pfelilpe
agustedone ffaggiani LucianoSorrentino95
Credited to dana-gill, pfelilpe, agustedone, ffaggiani, and LucianoSorrentino95
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting High
CVE-2025-54128 was published for @haxtheweb/haxcms-nodejs (npm) Jul 21, 2025
asareynolds
Credited to asareynolds
Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering High
CVE-2025-54075 was published for @nuxtjs/mdc (npm) Jul 20, 2025
Vozec
Credited to Vozec
ag-grid Cross-Site Scripting vulnerability High
GHSA-7p6w-x2gr-rrf8 was published for ag-grid (npm) Sep 2, 2020
Withdrawn Advisory: lunary-ai/lunary XSS in SAML metadata endpoint High
CVE-2024-5478 was published for lunary (npm) Jun 6, 2024 withdrawn
hughcrt
Credited to hughcrt
DOM Expressions has a Cross-Site Scripting (XSS) vulnerability due to improper use of string.replace High
CVE-2025-27108 was published for dom-expressions (npm) Feb 25, 2025
nsysean ryansolid
Credited to nsysean and ryansolid
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) High
CVE-2025-27109 was published for solid-js (npm) Feb 25, 2025
ryansolid nsysean
Credited to ryansolid and nsysean
markdown-pdf vulnerable to local file read via server side cross-site scripting (XSS) High
CVE-2023-0835 was published for markdown-pdf (npm) Apr 5, 2023
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS High
CVE-2024-47068 was published for rollup (npm) Sep 23, 2024
jackfromeast ishmeals
Credited to jackfromeast and ishmeals
Plate allows arbitrary DOM attributes in element.attributes and leaf.attributes High
CVE-2024-47061 was published for @udecode/plate-core (npm) Sep 20, 2024
gettext.js has a Cross-site Scripting injection High
CVE-2024-43370 was published for gettext.js (npm) Aug 15, 2024
mcoimbra filipeom
Credited to mcoimbra and filipeom
Plate media plugins has a XSS in media embed element when using custom URL parsers High
CVE-2024-40631 was published for @udecode/plate-media (npm) Jul 15, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database