Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,016
Maven
5,000+
npm
4,737
NuGet
814
pip
4,347
Pub
12
RubyGems
987
Rust
1,140
Swift
50
Unreviewed advisories
All unreviewed
5,000+

18 advisories

Loading
Fabric.js Affected by Stored XSS via SVG Export High
CVE-2026-27013 was published for fabric (npm) Feb 18, 2026
nedlir
Credited to nedlir
jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property) High
CVE-2026-25940 was published for jspdf (npm) Feb 19, 2026
Macabely
Credited to Macabely
jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method High
CVE-2026-25755 was published for jspdf (npm) Feb 19, 2026
ZeroXJacks
Credited to ZeroXJacks
jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution High
CVE-2026-24737 was published for jspdf (npm) Feb 2, 2026
ahmetartuc
Credited to ahmetartuc
Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF' High
CVE-2025-65959 was published for open-webui (npm) Dec 4, 2025
pyozzi-toss L2VE
Credited to pyozzi-toss and L2VE
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass Critical
CVE-2025-59936 was published for get-jwks (npm) Sep 26, 2025
epureionut99
Credited to epureionut99
Element Plus Link component (el-link) implements insufficient input validation for the href attribute Moderate
CVE-2025-57665 was published for element-plus (npm) Sep 9, 2025
EwenDC
Credited to EwenDC
KaTeX \htmlData does not validate attribute names Moderate
CVE-2025-23207 was published for katex (npm) Jan 17, 2025
nsysean edemaine
Credited to nsysean and edemaine
MathLive's Lack of Escaping of HTML allows for XSS Moderate
CVE-2025-29049 was published for mathlive (npm) Jan 21, 2025
nsysean arnog
Credited to nsysean and arnog
DOM Expressions has a Cross-Site Scripting (XSS) vulnerability due to improper use of string.replace High
CVE-2025-27108 was published for dom-expressions (npm) Feb 25, 2025
nsysean ryansolid
Credited to nsysean and ryansolid
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS) High
CVE-2025-27109 was published for solid-js (npm) Feb 25, 2025
ryansolid nsysean
Credited to ryansolid and nsysean
React Developer Tools extension Improper Authorization vulnerability Moderate
CVE-2023-5654 was published for react-devtools-core (npm) Oct 19, 2023
KaTeX's `\includegraphics` does not escape filename Moderate
CVE-2024-28245 was published for katex (npm) Mar 25, 2024
martinvks edemaine
jupenur
Credited to martinvks, edemaine, and jupenur
Misinterpretation of malicious XML input Moderate
CVE-2021-32796 was published for @xmldom/xmldom (npm) Aug 3, 2021
diptendur2c
Credited to diptendur2c
Critters Cross-site Scripting Vulnerability Moderate
CVE-2023-3481 was published for critters (npm) Aug 11, 2023
OpenZeppelin Contracts vulnerable to Improper Escaping of Output Moderate
CVE-2023-40014 was published for @openzeppelin/contracts (npm) Aug 11, 2023
dojox vulnerable to unescaped string injection Critical
CVE-2018-15494 was published for dojox (npm) Oct 15, 2018
Secret disclosure when containing characters that become URI encoded High
CVE-2020-26226 was published for semantic-release (npm) Nov 18, 2020
dbjorge
Credited to dbjorge
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database