Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,952
Erlang
39
GitHub Actions
38
Go
2,612
Maven
5,000+
npm
4,252
NuGet
760
pip
4,027
Pub
12
RubyGems
953
Rust
1,049
Swift
45
Unreviewed advisories
All unreviewed
5,000+

173 advisories

Loading
Mattermost Server allows XSS via CSRF Moderate
CVE-2016-11084 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution Moderate
CVE-2016-11083 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to XSS through crafted links Moderate
CVE-2016-11082 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server allows XSS via redirect URL Moderate
CVE-2016-11079 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` Moderate
CVE-2016-11071 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to XSS via a Legal or Support setting Moderate
CVE-2016-11073 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server is vulnerable to XSS through customizable theme color-code values Moderate
CVE-2016-11070 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
Mattermost Server vulnerable to Cross-site Scripting through file preview feature Moderate
CVE-2016-11063 was published for github.com/mattermost/mattermost-server (Go) May 24, 2022
listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover High
CVE-2025-58430 was published for github.com/knadh/listmonk (Go) Sep 9, 2025
r3verii
Credited to r3verii
Memos Vulnerable to Stored Cross-Site Scripting Moderate
CVE-2025-56761 was published for github.com/usememos/memos (Go) Sep 4, 2025
Gokapi has stored XSS vulnerability in friendly name for API keys Moderate
CVE-2025-48495 was published for github.com/forceu/gokapi (Go) Jun 3, 2025
Forceu
Credited to Forceu
Gokapi vulnerable to stored XSS via uploading file with malicious file name Moderate
CVE-2025-48494 was published for github.com/forceu/gokapi (Go) Jun 3, 2025
4rdr Forceu
Credited to 4rdr and Forceu
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs Moderate
CVE-2025-50738 was published for github.com/usememos/memos (Go) Jul 29, 2025
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function High
CVE-2025-52902 was published for github.com/filebrowser/filebrowser (Go) Jun 27, 2025
mtausig hacdias
Credited to mtausig and hacdias
Beego allows Reflected/Stored XSS in Beego's RenderForm() Function Due to Unescaped User Input Critical
CVE-2025-30223 was published for github.com/beego/beego (Go) Mar 31, 2025
thevilledev
Credited to thevilledev
Gogs XSS allowed by stored call in PDF renderer Moderate
CVE-2025-47943 was published for github.com/gogs/gogs (Go) Jun 26, 2025
edoardottt
Credited to edoardottt
Harbor repository description page has Cross-site Scripting vulnerability Moderate
CVE-2025-32019 was published for github.com/goharbor/harbor (Go) Jul 23, 2025
Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin High
CVE-2025-4123 was published for github.com/grafana/grafana (Go) May 22, 2025
Grafana is vulnerable to XSS attacks through open redirects and path traversal High
CVE-2025-6023 was published for github.com/grafana/grafana (Go) Jul 18, 2025
ZITADEL has improper HTML sanitization in emails and Console UI Moderate
CVE-2024-41953 was published for github.com/zitadel/zitadel (Go) Jul 31, 2024
livio-a
Credited to livio-a
teler dashboard vulnerable to DOM-based cross-site scripting (XSS) Low
CVE-2022-23466 was published for teler.app (Go) Dec 6, 2022
Improper HTML sanitization in ZITADEL High
CVE-2024-28855 was published for github.com/zitadel/zitadel (Go) Mar 18, 2024
Argo CD allows cross-site scripting on repositories page Critical
CVE-2025-47933 was published for github.com/argoproj/argo-cd (Go) May 28, 2025
Ry0taK crenshaw-dev
Credited to Ry0taK and crenshaw-dev
Gogs vulnerable to Cross-site Scripting Critical
CVE-2022-32174 was published for gogs.io/gogs (Go) Oct 11, 2022
golang.org/x/net vulnerable to Cross-site Scripting Moderate
CVE-2025-22872 was published for golang.org/x/net (Go) Apr 16, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database