Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,673
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,891
Pub
13
RubyGems
1,051
Rust
1,315
Swift
53
Unreviewed advisories
All unreviewed
5,000+

42,084 advisories

Loading
The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute... High Unreviewed
CVE-2026-23928 was published May 6, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is... High Unreviewed
CVE-2026-7332 was published May 6, 2026
An authenticated (non-super) administrator can create a maintenance period with a JavaScript... High Unreviewed
CVE-2026-23926 was published May 6, 2026
The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored... Moderate Unreviewed
CVE-2026-6672 was published May 6, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is... High Unreviewed
CVE-2026-7448 was published May 6, 2026
The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions... Moderate Unreviewed
CVE-2026-7457 was published May 6, 2026
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display Moderate
GHSA-fw8g-cg8f-9j28 was published for github.com/prometheus/prometheus (Go) May 5, 2026
iiihaiii Credited to iiihaiii and ngocnn97 ngocnn97 ngocnn97
ip-address has XSS in Address6 HTML-emitting methods Moderate
CVE-2026-42338 was published for ip-address (npm) May 5, 2026
scovetta Credited to scovetta
Grav is Vulnerable to Stored XSS via Tag Injection High
CVE-2026-42611 was published for getgrav/grav (Composer) May 5, 2026
KhanMarshaI Credited to KhanMarshaI
Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes High
CVE-2026-42612 was published for getgrav/grav (Composer) May 5, 2026
KC1zs4 Credited to KC1zs4
Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel Moderate
CVE-2026-42842 was published for getgrav/grav (Composer) May 5, 2026
cyabell Credited to cyabell
Grav CMS vulnerable to stored XSS via Markdown media attribute() action Moderate
CVE-2026-42841 was published for getgrav/grav (Composer) May 5, 2026
K-Czaplicki Credited to K-Czaplicki and morzelowski morzelowski morzelowski
YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers High
CVE-2026-43939 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header High
CVE-2026-43938 was published for YAFNET.Core (NuGet) May 5, 2026
MuhammadUwais Credited to MuhammadUwais
Fiber vulnerable to XSS in AutoFormat Content Negotiation Moderate
CVE-2026-42554 was published for github.com/gofiber/fiber/v2 (Go) May 5, 2026
wodzen Credited to wodzen, gaby, ReneWerner87, and sixcolors gaby gaby
ReneWerner87 ReneWerner87 sixcolors sixcolors
Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal Moderate
CVE-2026-43878 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers Moderate
CVE-2026-43876 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage. Moderate Unreviewed
CVE-2025-52206 was published May 5, 2026
@tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin High
GHSA-g485-8j3v-p6x8 was published for @tdurieux/anonymous_github (npm) May 5, 2026
jackfromeast Credited to jackfromeast and P3ngu1nW P3ngu1nW P3ngu1nW
AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows... Moderate Unreviewed
CVE-2023-54349 was published May 5, 2026
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting... Moderate Unreviewed
CVE-2026-5159 was published May 5, 2026
The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via... Moderate Unreviewed
CVE-2026-4665 was published May 5, 2026
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via... High Unreviewed
CVE-2026-4803 was published May 5, 2026
The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via... Moderate Unreviewed
CVE-2026-6255 was published May 5, 2026
The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ... Moderate Unreviewed
CVE-2026-6704 was published May 5, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database