Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
69
GitHub Actions
50
Go
3,876
Maven
5,000+
npm
5,000+
NuGet
958
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,363
Swift
54
Unreviewed advisories
All unreviewed
5,000+

466 advisories

Loading
Weblate: Stored HTML injection in editor search preview Moderate
CVE-2026-45106 was published for weblate (pip) May 15, 2026
adrgs Credited to adrgs, aisafe-bot, nijel, and KarenKonou aisafe-bot aisafe-bot
nijel nijel KarenKonou KarenKonou
Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url High
GHSA-3wgj-c2hg-vm6q was published for open-webui (pip) May 14, 2026
matte1782 Credited to matte1782
pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal High
CVE-2026-45348 was published for pyload-ng (pip) May 14, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify) Moderate
CVE-2026-45318 was published for open-webui (pip) May 14, 2026
foodlook Credited to foodlook
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions High
CVE-2026-45315 was published for open-webui (pip) May 14, 2026
maloleg Credited to maloleg and Classic298 Classic298 Classic298
Open WebUI has stored XSS via the HTML renedering view High
CVE-2026-45303 was published for open-webui (pip) May 14, 2026
simioni87 Credited to simioni87
Open WebUI has Stored Cross-Site Scripting In Profile Picture Moderate
CVE-2026-45299 was published for open-webui (pip) May 14, 2026
raresvis Credited to raresvis, Gh05t666nero, and Classic298 Gh05t666nero Gh05t666nero
Classic298 Classic298
ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override High
CVE-2026-44541 was published for ethyca-fides (pip) May 14, 2026
daveqnet Credited to daveqnet
Mistune Image Directive CSS Injection Vulnerability Moderate
CVE-2026-44899 was published for mistune (pip) May 14, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
Mistune TOC Anchor Injection XSS Moderate
CVE-2026-44898 was published for mistune (pip) May 14, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
local-deep-research is Vulnerable to HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`) Moderate
CVE-2026-43979 was published for local-deep-research (pip) May 11, 2026
Firebasky Credited to Firebasky
pgAdmin 4: Stored cross-site scripting (XSS) vulnerability in Browser Tree and Explain Visualizer modules Moderate
CVE-2026-7814 was published for pgadmin4 (pip) May 11, 2026
Mistune Heading ID Attribute has Injection XSS Moderate
CVE-2026-44897 was published for mistune (pip) May 9, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
Mistune has XSS via unescaped figclass/figwidth in Figure directive Moderate
CVE-2026-44896 was published for mistune (pip) May 8, 2026
sergeykochanov Credited to sergeykochanov
Mistune Math Plugin has an XSS Escape Bypass Moderate
CVE-2026-44708 was published for mistune (pip) May 8, 2026
QiaoNPC Credited to QiaoNPC and Across-Verticals-Malaysia Across-Verticals-Malaysia Across-Verticals-Malaysia
Open WebUI has stored XSS in Excel file preview High
CVE-2026-44549 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order Moderate
CVE-2026-44568 was published for open-webui (pip) May 8, 2026
morimori-dev Credited to morimori-dev and Classic298 Classic298 Classic298
open-webui Vulnerable to Stored XSS via Model Description High
CVE-2026-44721 was published for open-webui (npm) May 8, 2026
fr0stydev Credited to fr0stydev and Classic298 Classic298 Classic298
netbox-data-flows has stored XSS in ObjectAlias names rendered inside DataFlow tables High
GHSA-v7qw-hx66-4w9x was published for netbox-data-flows (pip) May 7, 2026
xanode Credited to xanode
Postorius is vulnerable to XSS High
CVE-2026-44742 was published for postorius (pip) May 7, 2026
Weblate vulnerable to XSS via crafted Markdown Moderate
CVE-2026-44264 was published for weblate (pip) May 7, 2026
nijel Credited to nijel
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content High
CVE-2026-42557 was published for jupyterlab (pip) May 6, 2026
fg0x0 Credited to fg0x0, krassowski, jtpio, and Yann-P krassowski krassowski
jtpio jtpio Yann-P Yann-P
Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS High
CVE-2026-40171 was published for @jupyter-notebook/help-extension (npm) Apr 30, 2026
dtrops Credited to dtrops, Carreau, Yann-P, krassowski, and jtpio Carreau Carreau
Yann-P Yann-P krassowski krassowski jtpio jtpio
beets has a Cross-site Scripting vulnerability Moderate
CVE-2026-42052 was published for beets (pip) Apr 29, 2026
FORIMOC Credited to FORIMOC and Yuremin Yuremin Yuremin
wlc: print_html outputs API data without HTML escaping Moderate
CVE-2026-42150 was published for wlc (pip) Apr 24, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database