Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

3,171 advisories

Loading
fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode Moderate
CVE-2026-45581 was published for org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim (Maven) May 19, 2026
lalalala5678 Credited to lalalala5678 and bestbeforetoday bestbeforetoday bestbeforetoday
OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation Moderate
CVE-2026-45292 was published for io.opentelemetry:opentelemetry-api (Maven) May 14, 2026
August829 Credited to August829, trask, and jack-berg trask trask
jack-berg jack-berg
Apache Commons Configuration: StackOverflowError for YAML input with cycles Moderate
CVE-2026-45205 was published for org.apache.commons:commons-configuration2 (Maven) May 14, 2026
Vert.x has a DoS via unbounded server-side SNI SslContext cache growth Moderate
CVE-2026-6860 was published for io.vertx:vertx-core (Maven) May 9, 2026
shblue21 Credited to shblue21
Bouncy Castle has a vulnerability in program files gcm128w, gcm512w Moderate
CVE-2026-8149 was published for org.bouncycastle:bc-fips (Maven) May 8, 2026
Alkacon OpenCms is vulnerable to XSS via updateModelGroups.jsp Moderate
CVE-2023-42345 was published for org.opencms:opencms-core (Maven) May 8, 2026
Alkacon OpenCms is vulnerable to XSS via cmis-online/type Moderate
CVE-2023-42343 was published for org.opencms:opencms-core (Maven) May 8, 2026
Spring Cloud Config Server Logged Sensitive Information Moderate
CVE-2026-41004 was published for org.springframework.cloud:spring-cloud-config-server (Maven) May 7, 2026
Netty MQTT: Resource exhaustion in MqttDecoder Moderate
CVE-2026-44248 was published for io.netty:netty-codec-mqtt (Maven) May 7, 2026
chrisvest Credited to chrisvest
Netty Redis Codec Encoder has a CRLF Injection Issue Moderate
CVE-2026-42586 was published for io.netty:netty-codec-redis (Maven) May 7, 2026
Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding Moderate
CVE-2026-42585 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization Moderate
CVE-2026-42581 was published for io.netty:netty-codec-http (Maven) May 7, 2026
subbudvk Credited to subbudvk
Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing Moderate
CVE-2026-42580 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
OpenSearch Security plugin: DLS not applied on documents linked by has_child or has_parent relation Moderate
GHSA-x83w-23jp-g6pw was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
Spring Cloud AWS missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications Moderate
CVE-2026-44308 was published for io.awspring.cloud:spring-cloud-aws-sns (Maven) May 7, 2026
MatejNedic Credited to MatejNedic
axonflow-sdk-java: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-248h-974q-xrc2 was published for com.getaxonflow:axonflow-sdk (Maven) May 6, 2026
Apache Wicket has a Path Traversal issue Moderate
CVE-2026-43975 was published for org.apache.wicket:wicket-core (Maven) May 6, 2026
Apache Wicket has a Cross-site Scripting issue Moderate
CVE-2026-42509 was published for org.apache.wicket:wicket-parent (Maven) May 6, 2026
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter Moderate
CVE-2026-42140 was published for org.xwiki.contrib.plantuml:macro-plantuml-macro (Maven) May 5, 2026
lukasz-rybak Credited to lukasz-rybak
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection Moderate
CVE-2026-41417 was published for io.netty:netty-codec-http (Maven) May 5, 2026
oxqnd Credited to oxqnd, aest3ra, and mjkim610 aest3ra aest3ra
mjkim610 mjkim610
quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations Moderate
CVE-2026-42333 was published for io.quarkiverse.openapi.generator:quarkus-openapi-generator (Maven) May 4, 2026
Jvr2022 Credited to Jvr2022 and ricardozanini ricardozanini ricardozanini
jOpenDocument has an improper restriction of XML external entity reference vulnerability Moderate
CVE-2026-6501 was published for org.jopendocument:jOpenDocument (Maven) May 4, 2026
Apache Neethi doesn't impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API Moderate
CVE-2026-42404 was published for org.apache.neethi:neethi (Maven) May 1, 2026
Shopizer is vulnerable to Cross-site Scripting Moderate
CVE-2026-36766 was published for com.shopizer:shopizer (Maven) Apr 30, 2026
Keycloak has a Forced Browsing issue Moderate
CVE-2026-7500 was published for org.keycloak:keycloak-services (Maven) Apr 30, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database