Add GHSA-prqw-jx4x-vw4x (OSV.dev XSS security research)

[ikow]

Context

This PR adds advisory GHSA-prqw-jx4x-vw4x as part of authorized security research for Google OSS VRP Issue 512669343.

The advisory demonstrates that javascript: URLs in the references field are not filtered by osv.dev when rendering vulnerability detail pages, enabling stored XSS.

• Google VRP Issue: https://issuetracker.google.com/issues/512669343
• Published advisory: GHSA-prqw-jx4x-vw4x
• Affected package: osv-xss-security-test-2026 (intentionally empty, does not exist on npm)

What this tests

The advisory contains a reference with "url": "javascript:alert(document.domain)". When this advisory is imported by OSV and rendered on osv.dev, the Jinja2 template at vulnerability.html:144 will render:

<a href="javascript:alert(document.domain)" target="_blank" rel="nofollow noopener noreferrer">

Jinja2 auto-escaping does NOT filter javascript: URL schemes (only escapes < > & " ').

Cleanup

This advisory will be withdrawn after the vulnerability is verified. The test package does not exist on any package registry.

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[shelbyc]

Hi @ikow, thank you for providing information about the context around GHSA-prqw-jx4x-vw4x. I'm closing this PR because my teammates and I aren't comfortable with publishing test advisories for security research purposes. If you have concerns about the behavior of OSV.dev, the OSV project accepts issues at https://github.com/google/osv.dev/issues.