Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

167 advisories

Loading
Hugo: Certain markdown links are not properly escaped Moderate
CVE-2026-35166 was published for github.com/gohugoio/hugo (Go) Apr 3, 2026
cataliniovita Credited to cataliniovita
File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection Moderate
CVE-2026-34530 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
tomasvanagas Credited to tomasvanagas
SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata Moderate
CVE-2026-33067 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering Moderate
CVE-2026-33066 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
SiYuan Vulnerable to Remote Code Execution via Malicious Bazaar Package — Marketplace XSS Moderate
GHSA-v3mg-9v85-fcm7 was published for siyuan (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface Moderate
CVE-2026-32751 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS Moderate
CVE-2026-31809 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 10, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS Moderate
CVE-2026-31807 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 10, 2026
0xkakash1 Credited to 0xkakash1
Gogs: Stored XSS in branch and wiki views through author and committer names Moderate
CVE-2026-26195 was published for gogs.io/gogs (Go) Mar 5, 2026
rezmoss Credited to rezmoss
osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List Moderate
CVE-2026-28280 was published for github.com/jmpsec/osctrl (Go) Feb 28, 2026
sho-luv Credited to sho-luv and Kwangyun Kwangyun Kwangyun
Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module Moderate
CVE-2026-27116 was published for code.vikunja.io/api (Go) Feb 25, 2026
sudo0xksh Credited to sudo0xksh
Navidrome has XSS via comment from song metadata Moderate
CVE-2026-25578 was published for github.com/navidrome/navidrome (Go) Feb 4, 2026
AlexGustafsson Credited to AlexGustafsson
Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability Moderate
CVE-2026-22808 was published for github.com/fleetdm/fleet (Go) Jan 20, 2026
prateek-0490 Credited to prateek-0490 and iansltx iansltx iansltx
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload Moderate
CVE-2026-23645 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 16, 2026
jaroslaw-wawiorko Credited to jaroslaw-wawiorko
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover Moderate
CVE-2026-21483 was published for github.com/knadh/listmonk (Go) Jan 2, 2026
PlayerIUnknown Credited to PlayerIUnknown
Gitea vulnerable to Cross-site Scripting Moderate
CVE-2025-68946 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text Moderate
CVE-2025-68942 was published for code.gitea.io/gitea (Go) Dec 26, 2025
Algernon Cross-Site Scripting vulnerability Moderate
CVE-2025-65754 was published for github.com/xyproto/algernon (Go) Dec 10, 2025
Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode Moderate
CVE-2025-64716 was published for github.com/TecharoHQ/anubis (Go) Oct 30, 2025
nijel Credited to nijel and mbiesiad mbiesiad mbiesiad
Memos Vulnerable to Stored Cross-Site Scripting Moderate
CVE-2025-56761 was published for github.com/usememos/memos (Go) Sep 4, 2025
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs Moderate
CVE-2025-50738 was published for github.com/usememos/memos (Go) Jul 29, 2025
Harbor repository description page has Cross-site Scripting vulnerability Moderate
CVE-2025-32019 was published for github.com/goharbor/harbor (Go) Jul 23, 2025
Gogs XSS allowed by stored call in PDF renderer Moderate
CVE-2025-47943 was published for github.com/gogs/gogs (Go) Jun 26, 2025
edoardottt Credited to edoardottt
Gokapi vulnerable to stored XSS via uploading file with malicious file name Moderate
CVE-2025-48494 was published for github.com/forceu/gokapi (Go) Jun 3, 2025
4rdr Credited to 4rdr and Forceu Forceu Forceu
Gokapi has stored XSS vulnerability in friendly name for API keys Moderate
CVE-2025-48495 was published for github.com/forceu/gokapi (Go) Jun 3, 2025
Forceu Credited to Forceu
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database