Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,143 advisories

Loading
OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users High
CVE-2026-46481 was published for org.open-metadata:openmetadata-service (Maven) May 21, 2026
JorgeCampoverdeA Credited to JorgeCampoverdeA
Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service High
CVE-2026-45799 was published for com.squareup.wire:wire-runtime (Maven) May 19, 2026
TrekLaps Credited to TrekLaps
ORAS Java: Path traversal in pullArtifact via attacker-controlled org.opencontainers.image.title annotation High
GHSA-xm96-gfjx-jcrc was published for land.oras:oras-java-sdk (Maven) May 19, 2026
ChipWolf Credited to ChipWolf and jonesbusy jonesbusy jonesbusy
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint High
CVE-2026-45367 was published for ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (Maven) May 18, 2026
offset Credited to offset
async-http-client: Cookie header not stripped on cross-origin redirect High
CVE-2026-45300 was published for org.asynchttpclient:async-http-client (Maven) May 18, 2026
tndud042713 Credited to tndud042713
Spring AI MCP Security: Unvalidated URL Fetching (SSRF) High
CVE-2026-45609 was published for org.springaicommunity:mcp-client-security (Maven) May 18, 2026
srikanthramu Credited to srikanthramu
Improper Verification of Cryptographic Signature in com.oviva.telematik:epa4all-client High
CVE-2026-45575 was published for com.oviva.telematik:epa4all-client (Maven) May 15, 2026
snomi Credited to snomi and Volcore Volcore Volcore
epa4all-client: TLS Certificate Validation Disabled in Production High
CVE-2026-45574 was published for com.oviva.telematik:epa4all-client (Maven) May 15, 2026
snomi Credited to snomi and Volcore Volcore Volcore
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling High
CVE-2026-41284 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Apache Tomcat - WebSocket authentication header exposure High
CVE-2026-42498 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Apache Tomcat: LockOutRealm treats user names as case-sensitive High
CVE-2026-43513 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Spring AI: Prompt Injection via Memory Poisoning in PromptChatMemoryAdvisor High
CVE-2026-41713 was published for org.springframework.ai:spring-ai-client-chat (Maven) May 12, 2026
Spring AI: ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage High
CVE-2026-41712 was published for org.springframework.ai:spring-ai-advisors-vector-store (Maven) May 12, 2026
Valtimo has sensitive data exposure through HTTP request/response logging in LoggingRestClientCustomizer High
CVE-2026-44516 was published for com.ritense.valtimo:web (Maven) May 11, 2026
Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs High
CVE-2026-41705 was published for org.springframework.ai:spring-ai-milvus-store (Maven) May 9, 2026
epa4all-client has a VAU Signature bypass High
CVE-2026-44900 was published for com.oviva.telematik:epa4all-client (Maven) May 8, 2026
snomi Credited to snomi and Volcore Volcore Volcore
bitcoinj has a ScriptExecution P2PKH/P2WPKH Verification Bypass High
CVE-2026-44714 was published for org.bitcoinj:bitcoinj-core (Maven) May 8, 2026
jmecom Credited to jmecom, msgilligan, and schildbach msgilligan msgilligan
schildbach schildbach
Apache NiFi is missing the Restricted annotation with the Execute Code Required Permission High
CVE-2026-39816 was published for org.apache.nifi:nifi-other-graph-services-nar (Maven) May 8, 2026
Alkacon OpenCms is vulnerable to XXE when the <!DOCTYPE> refers to an external host High
CVE-2023-42346 was published for org.opencms:opencms-core (Maven) May 8, 2026
Alkacon OpenCms allows remote unauthenticated attackers to obtain sensitive information High
CVE-2023-42344 was published for org.opencms:opencms-core (Maven) May 8, 2026
Spring Cloud Config Server Susceptible To TOCTOU Attack High
CVE-2026-41002 was published for org.springframework.cloud:spring-cloud-config-server (Maven) May 7, 2026
Spring Cloud Config has an Authorization Bypass Through User-Controlled Key High
CVE-2026-40981 was published for org.springframework.cloud:spring-cloud-config (Maven) May 7, 2026
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect High
CVE-2026-44503 was published for Microsoft.Kiota.Abstractions (Go) May 7, 2026
MIchaelMainer Credited to MIchaelMainer
Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS High
CVE-2026-42587 was published for io.netty:netty-codec-http (Maven) May 7, 2026
offset Credited to offset
Netty has HttpClientCodec response desynchronization High
CVE-2026-42584 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database