Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

223 advisories

Loading
Hugo: Certain markdown links are not properly escaped Moderate
CVE-2026-35166 was published for github.com/gohugoio/hugo (Go) Apr 3, 2026
cataliniovita Credited to cataliniovita
SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated) High
CVE-2026-34605 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 1, 2026
fg0x0 Credited to fg0x0
SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution High
CVE-2026-34585 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 1, 2026
ngocnn97 Credited to ngocnn97
File Browser vulnerable to Stored Cross-site Scripting via text/template branding injection Moderate
CVE-2026-34530 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
tomasvanagas Credited to tomasvanagas
File Browser is vulnerable to Stored Cross-site Scripting via crafted EPUB file High
CVE-2026-34529 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
tomasvanagas Credited to tomasvanagas
SiYuan: Stored XSS in Attribute View Gallery/Kanban Cover Rendering Allows Arbitrary Command Execution in Desktop Client Critical
CVE-2026-34448 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 31, 2026
ngocnn97 Credited to ngocnn97
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting Low
CVE-2026-33525 was published for github.com/authelia/authelia/v4 (Go) Mar 24, 2026
mo has a XSS via inline SVG script tags in Markdown rendering Low
GHSA-vccx-p757-pv6h was published for github.com/k1LoW/mo (Go) Mar 18, 2026
yagihash Credited to yagihash
SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata Moderate
CVE-2026-33067 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering Moderate
CVE-2026-33066 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) Critical
CVE-2026-32940 was published for github.com/siyuan-note/siyuan (Go) Mar 17, 2026
vnykmshr Credited to vnykmshr
SiYuan Vulnerable to Remote Code Execution via Malicious Bazaar Package — Marketplace XSS Moderate
GHSA-v3mg-9v85-fcm7 was published for siyuan (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface Moderate
CVE-2026-32751 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS Moderate
CVE-2026-31809 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 10, 2026
0xkakash1 Credited to 0xkakash1
SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS Moderate
CVE-2026-31807 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 10, 2026
0xkakash1 Credited to 0xkakash1
FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse) High
CVE-2026-30934 was published for github.com/gtsteffaniak/filebrowser (Go) Mar 9, 2026
lulaide Credited to lulaide
Gogs: DOM-based XSS via milestone selection High
CVE-2026-26276 was published for gogs.io/gogs (Go) Mar 5, 2026
odgrso Credited to odgrso
Gogs: Stored XSS in branch and wiki views through author and committer names Moderate
CVE-2026-26195 was published for gogs.io/gogs (Go) Mar 5, 2026
rezmoss Credited to rezmoss
Gogs: Stored XSS via data URI in issue comments High
CVE-2026-26022 was published for gogs.io/gogs (Go) Mar 5, 2026
dxlerYT Credited to dxlerYT
Gokapi has Stored XSS in SVG Hotlinks High
CVE-2026-28683 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover High
CVE-2026-29192 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish and livio-a livio-a livio-a
ZITADEL has 1-Click Account Takeover via XSS in /saml-post Endpoint Critical
CVE-2026-29191 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish, bastionstack, and livio-a bastionstack bastionstack
livio-a livio-a
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint Critical
CVE-2026-29183 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 4, 2026
maru1009 Credited to maru1009
osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List Moderate
CVE-2026-28280 was published for github.com/jmpsec/osctrl (Go) Feb 28, 2026
sho-luv Credited to sho-luv and Kwangyun Kwangyun Kwangyun
Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure High
CVE-2026-27616 was published for code.vikunja.io/api (Go) Feb 25, 2026
iamsampathk Credited to iamsampathk and sudo0xksh sudo0xksh sudo0xksh
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database