Add GHSA-prqw-jx4x-vw4x (OSV.dev XSS security research)

advisories/github-reviewed/2026/05/GHSA-test-xss-0sec/GHSA-test-xss-0sec.json

@@ -0,0 +1,53 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-test-xss-0sec",
+  "modified": "2026-05-13T00:00:00Z",
+  "published": "2026-05-13T00:00:00Z",
+  "aliases": [],
+  "summary": "Security Research Test Advisory - OSV XSS Validation (Will Be Removed)",
+  "details": "This is a **test advisory** submitted as part of authorized security research for Google OSS VRP (Issue 512669343). It demonstrates that javascript: URLs in reference fields pass through OSV's schema validation and render as clickable XSS links on osv.dev.\n\nThis advisory will be removed after verification. The affected package does not exist.\n\nRef: https://issuetracker.google.com/issues/512669343",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "osv-xss-security-test-nonexistent-pkg-2026"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "99.99.99"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://issuetracker.google.com/issues/512669343"
+    },
+    {
+      "type": "WEB",
+      "url": "javascript:alert(document.domain)"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false
+  }
+}

advisories/unreviewed/2026/05/GHSA-prqw-jx4x-vw4x/GHSA-prqw-jx4x-vw4x.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-prqw-jx4x-vw4x",
+  "modified": "2026-05-13T21:24:25Z",
+  "published": "2026-05-13T21:24:25Z",
+  "aliases": [],
+  "summary": "XSS via javascript: URL in vulnerability references (OSV.dev security research)",
+  "details": "This is a **test advisory** created as part of authorized security research for Google OSS VRP (Issue 512669343). It demonstrates that `javascript:` URLs in reference fields pass through OSV's validation and render as clickable XSS links on osv.dev. The affected package is intentionally empty and does not exist on npm. This advisory will be withdrawn after verification.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "osv-xss-security-test-2026"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "99.99.99"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://issuetracker.google.com/issues/512669343"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ikow/osv-xss-security-test/security/advisories/GHSA-prqw-jx4x-vw4x"
+    },
+    {
+      "type": "WEB",
+      "url": "javascript:alert(document.domain)"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": null
+  }
+}