GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
747 advisories
Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers
Moderate
CVE-2026-27902
was published
for
svelte
(npm)
Feb 26, 2026
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
Moderate
CVE-2026-27901
was published
for
svelte
(npm)
Feb 26, 2026
Storybook Dev Server is Vulnerable to WebSocket Hijacking
High
CVE-2026-27148
was published
for
storybook
(npm)
Feb 26, 2026
n8n Vulnerable to Stored XSS via Various Nodes
High
CVE-2026-27578
was published
for
n8n
(npm)
Feb 25, 2026
repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard
Moderate
CVE-2026-27612
was published
for
repostat
(npm)
Feb 25, 2026
Pannellum has a XSS vulnerability in hot spot attributes
Moderate
CVE-2026-27210
was published
for
pannellum
(npm)
Feb 19, 2026
Svelte SSR does not validate dynamic element tag names in `<svelte:element>`
Moderate
CVE-2026-27122
was published
for
svelte
(npm)
Feb 19, 2026
Svelte affected by cross-site scripting via spread attributes in Svelte SSR
Moderate
CVE-2026-27121
was published
for
svelte
(npm)
Feb 19, 2026
Svelte affected by XSS in SSR `<option>` element
Moderate
CVE-2026-27119
was published
for
svelte
(npm)
Feb 19, 2026
Fabric.js Affected by Stored XSS via SVG Export
High
CVE-2026-27013
was published
for
fabric
(npm)
Feb 18, 2026
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
Moderate
CVE-2026-27009
was published
for
openclaw
(npm)
Feb 18, 2026
SCEditor has DOM XSS via emoticon URL/HTML injection
Moderate
CVE-2026-25581
was published
for
sceditor
(npm)
Feb 6, 2026
n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI
High
CVE-2026-25054
was published
for
n8n
(npm)
Feb 4, 2026
n8n's Improper CSP Enforcement in Webhook Responses May Allow Stored XSS
High
CVE-2026-25051
was published
for
n8n
(npm)
Feb 4, 2026
Qwik SSR XSS via Unsafe Virtual Node Serialization
Moderate
CVE-2026-25148
was published
for
@builder.io/qwik-city
(npm)
Feb 3, 2026
NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload
High
CVE-2026-24769
was published
for
nocodb
(npm)
Jan 28, 2026
Hono vulnerable to XSS through ErrorBoundary component
Moderate
CVE-2026-24771
was published
for
hono
(npm)
Jan 28, 2026
Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE
Critical
GHSA-cr3w-cw5w-h3fj
was published
for
@saltcorn/server
(npm)
Jan 26, 2026
Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass
High
CVE-2025-65098
was published
for
@typebot.io/js
(npm)
Jan 22, 2026
ProTip!
Advisories are also available from the
GraphQL API