Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,757
Maven
5,000+
npm
4,363
NuGet
765
pip
4,128
Pub
12
RubyGems
961
Rust
1,070
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,056 advisories

Loading
Libredesk has Improper Neutralization of HTML Tags in a Web Page High
GHSA-wh6m-h6f4-rjf4 was published for github.com/abhinavxd/libredesk (Go) Dec 16, 2025
PlayerIUnknown
Credited to PlayerIUnknown
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables Moderate
CVE-2025-68115 was published for parse-server (npm) Dec 16, 2025
yueyueL mtrezza
Credited to yueyueL and mtrezza
Mayan EDMS is vulnerable to XSS through the /authentication/ file Low
CVE-2025-14691 was published for mayan-edms (pip) Dec 15, 2025
Vuetify has a Cross-site Scripting (XSS) vulnerability in the VDatePicker component Moderate
CVE-2025-8082 was published for vuetify (npm) Dec 12, 2025
Algernon Cross-Site Scripting vulnerability Moderate
CVE-2025-65754 was published for github.com/xyproto/algernon (Go) Dec 10, 2025
Jenkins Coverage Plugin has a stored cross-site scripting (XSS) vulnerability High
CVE-2025-67641 was published for io.jenkins.plugins:coverage (Maven) Dec 10, 2025
XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication Moderate
CVE-2025-66472 was published for org.xwiki.platform:xwiki-platform-flamingo-skin-resources (Maven) Dec 10, 2025
4rdr
Credited to 4rdr
@tiptap/extension-link vulnerable to Cross-site Scripting (XSS) Low
CVE-2025-14284 was published for @tiptap/extension-link (npm) Dec 9, 2025
Shopware Storefront Reflected XSS in Storefront Login Page High
CVE-2025-67648 was published for shopware/shopware (Composer) Dec 9, 2025
tbrankaer NielDuysters
Credited to tbrankaer and NielDuysters
ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login High
CVE-2025-67495 was published for github.com/zitadel/zitadel (Go) Dec 8, 2025
amit-laish peintnermax
livio-a
Credited to amit-laish, peintnermax, and livio-a
NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content Moderate
CVE-2025-66470 was published for nicegui (pip) Dec 8, 2025
twmoon evnchn
falkoschindler
Credited to twmoon, evnchn, and falkoschindler
NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection Moderate
CVE-2025-66469 was published for nicegui (pip) Dec 8, 2025
twmoon evnchn
falkoschindler
Credited to twmoon, evnchn, and falkoschindler
Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF' High
CVE-2025-65959 was published for open-webui (npm) Dec 4, 2025
pyozzi-toss L2VE
Credited to pyozzi-toss and L2VE
Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors High
CVE-2025-66468 was published for aimeos/ai-cms-grapesjs (Composer) Dec 3, 2025
Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor Moderate
CVE-2025-65186 was published for getgrav/grav (Composer) Dec 2, 2025
Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation Low
CVE-2025-65858 was published for calibreweb (pip) Dec 2, 2025
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab Moderate
CVE-2025-66310 was published for getgrav/grav (Composer) Dec 2, 2025
marcelomulder nmmorette
Credited to marcelomulder and nmmorette
Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab Moderate
CVE-2025-66309 was published for getgrav/grav (Composer) Dec 2, 2025
marcelomulder nmmorette
Credited to marcelomulder and nmmorette
Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]` Moderate
CVE-2025-66308 was published for getgrav/grav (Composer) Dec 2, 2025
marcelomulder nmmorette
Credited to marcelomulder and nmmorette
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes High
CVE-2025-66412 was published for @angular/compiler (npm) Dec 2, 2025
alan-agius4 securityMB
crisbeto devversion AKiileX AndrewKushnir
Credited to alan-agius4, securityMB, crisbeto, devversion, AKiileX, and AndrewKushnir
Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]` Moderate
CVE-2025-66312 was published for getgrav/grav (Composer) Dec 2, 2025
marcelomulder nmmorette
Credited to marcelomulder and nmmorette
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters Moderate
CVE-2025-66311 was published for getgrav/grav (Composer) Dec 2, 2025
marcelomulder nmmorette
Credited to marcelomulder and nmmorette
Snipe-IT allows stored XSS via the Locations "Country" field Moderate
CVE-2025-65622 was published for snipe/snipe-it (Composer) Dec 2, 2025
Snipe-IT is vulnerable to stored cross-site scripting Moderate
CVE-2025-65621 was published for snipe/snipe-it (Composer) Dec 1, 2025
Spotipy has a XSS vulnerability in its OAuth callback server Low
CVE-2025-66040 was published for spotipy (pip) Dec 1, 2025
yueyueL
Credited to yueyueL
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database