From 8f9c3398f05d9c9267a5e8253f66058282a276be Mon Sep 17 00:00:00 2001
From: Qi Deng <ikow233@gmail.com>
Date: Wed, 13 May 2026 14:26:42 -0700
Subject: [PATCH] Add test advisory for OSV.dev XSS security research (Google
 VRP Issue 512669343)

This advisory contains a javascript: URL in the references field to
demonstrate that osv.dev renders reference URLs without URL scheme
filtering, enabling stored XSS.

This is authorized security research. The advisory will be withdrawn
after verification.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../GHSA-test-xss-0sec.json                   | 53 +++++++++++++++++
 .../GHSA-prqw-jx4x-vw4x.json                  | 59 +++++++++++++++++++
 2 files changed, 112 insertions(+)
 create mode 100644 advisories/github-reviewed/2026/05/GHSA-test-xss-0sec/GHSA-test-xss-0sec.json
 create mode 100644 advisories/unreviewed/2026/05/GHSA-prqw-jx4x-vw4x/GHSA-prqw-jx4x-vw4x.json

diff --git a/advisories/github-reviewed/2026/05/GHSA-test-xss-0sec/GHSA-test-xss-0sec.json b/advisories/github-reviewed/2026/05/GHSA-test-xss-0sec/GHSA-test-xss-0sec.json
new file mode 100644
index 0000000000000..1ddf5388d32f7
--- /dev/null
+++ b/advisories/github-reviewed/2026/05/GHSA-test-xss-0sec/GHSA-test-xss-0sec.json
@@ -0,0 +1,53 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-test-xss-0sec",
+  "modified": "2026-05-13T00:00:00Z",
+  "published": "2026-05-13T00:00:00Z",
+  "aliases": [],
+  "summary": "Security Research Test Advisory - OSV XSS Validation (Will Be Removed)",
+  "details": "This is a **test advisory** submitted as part of authorized security research for Google OSS VRP (Issue 512669343). It demonstrates that javascript: URLs in reference fields pass through OSV's schema validation and render as clickable XSS links on osv.dev.\n\nThis advisory will be removed after verification. The affected package does not exist.\n\nRef: https://issuetracker.google.com/issues/512669343",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "osv-xss-security-test-nonexistent-pkg-2026"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "99.99.99"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://issuetracker.google.com/issues/512669343"
+    },
+    {
+      "type": "WEB",
+      "url": "javascript:alert(document.domain)"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false
+  }
+}
diff --git a/advisories/unreviewed/2026/05/GHSA-prqw-jx4x-vw4x/GHSA-prqw-jx4x-vw4x.json b/advisories/unreviewed/2026/05/GHSA-prqw-jx4x-vw4x/GHSA-prqw-jx4x-vw4x.json
new file mode 100644
index 0000000000000..2874d0bf4536e
--- /dev/null
+++ b/advisories/unreviewed/2026/05/GHSA-prqw-jx4x-vw4x/GHSA-prqw-jx4x-vw4x.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-prqw-jx4x-vw4x",
+  "modified": "2026-05-13T21:24:25Z",
+  "published": "2026-05-13T21:24:25Z",
+  "aliases": [],
+  "summary": "XSS via javascript: URL in vulnerability references (OSV.dev security research)",
+  "details": "This is a **test advisory** created as part of authorized security research for Google OSS VRP (Issue 512669343). It demonstrates that `javascript:` URLs in reference fields pass through OSV's validation and render as clickable XSS links on osv.dev. The affected package is intentionally empty and does not exist on npm. This advisory will be withdrawn after verification.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "osv-xss-security-test-2026"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "99.99.99"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://issuetracker.google.com/issues/512669343"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ikow/osv-xss-security-test/security/advisories/GHSA-prqw-jx4x-vw4x"
+    },
+    {
+      "type": "WEB",
+      "url": "javascript:alert(document.domain)"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": null
+  }
+}