GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
745 advisories
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
Low
GHSA-ccgf-5rwj-j3hv
was published
for
telejson
(npm)
Apr 2, 2026
dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
High
CVE-2026-34725
was published
for
dbgate-web
(npm)
Apr 1, 2026
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization
Moderate
GHSA-h8r8-wccr-v5f2
was published
for
dompurify
(npm)
Mar 27, 2026
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
High
CVE-2026-33941
was published
for
handlebars
(npm)
Mar 27, 2026
n8n has XSS in its Credential Management Flow
Moderate
GHSA-364x-8g5j-x2pr
was published
for
n8n
(npm)
Mar 27, 2026
n8n has XSS in Chat Trigger Node through Custom CSS
Moderate
GHSA-3c7f-5hgj-h279
was published
for
n8n
(npm)
Mar 27, 2026
n8n: Authenticated XSS and Open Redirect via Form Node
Moderate
GHSA-w673-8fjw-457c
was published
for
n8n
(npm)
Mar 27, 2026
n8n has a Stored XSS Vulnerability in its Form Trigger
Moderate
GHSA-q4fm-pjq6-m63g
was published
for
n8n
(npm)
Mar 27, 2026
Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
High
CVE-2026-33979
was published
for
express-xss-sanitizer
(npm)
Mar 27, 2026
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
Moderate
CVE-2026-33916
was published
for
handlebars
(npm)
Mar 26, 2026
n8n Vulnerable to XSS via Binary Data Inline HTML Rendering
Moderate
CVE-2026-33749
was published
for
n8n
(npm)
Mar 26, 2026
PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel
Moderate
GHSA-xgx4-2wgv-4jhm
was published
for
@pdfme/schemas
(npm)
Mar 20, 2026
oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify
High
CVE-2026-33331
was published
for
@orpc/openapi
(npm)
Mar 20, 2026
SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials
Moderate
CVE-2026-33311
was published
for
@dicebear/core
(npm)
Mar 19, 2026
Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas
Moderate
GHSA-87v3-4cfp-cm76
was published
for
@pdfme/schemas
(npm)
Mar 18, 2026
Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas
Moderate
GHSA-qq9g-96v4-m3cj
was published
for
@pdfme/schemas
(npm)
Mar 18, 2026
jsPDF has HTML Injection in New Window paths
Critical
CVE-2026-31938
was published
for
jspdf
(npm)
Mar 17, 2026
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries
High
CVE-2026-32728
was published
for
parse-server
(npm)
Mar 16, 2026
ProTip!
Advisories are also available from the
GraphQL API