Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

884 advisories

Loading
fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE Critical
CVE-2026-41586 was published for org.hyperledger.fabric-sdk-java:fabric-sdk-java (Maven) Apr 29, 2026
brodmart Credited to brodmart
Apache Tomcat: CLIENT_CERT authentication does not fail as expected Critical
CVE-2026-29145 was published for org.apache.tomcat:tomcat (Maven) Apr 9, 2026
aruneko Credited to aruneko
Apache Tomcat - Security constraints not correctly applied Critical
CVE-2026-43515 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Apache Tomcat - Digest authenticator will authenticate any unknown user Critical
CVE-2026-43512 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Apache Tomcat - HTTP/2 request headers not validated Critical
CVE-2026-41293 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
OpenMRS has Stored Velocity SSTI to RCE via ConceptReferenceRange Critical
CVE-2026-41258 was published for org.openmrs.api:openmrs-api (Maven) May 4, 2026
snomi Credited to snomi and Volcore Volcore Volcore
Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users Critical
CVE-2026-42555 was published for com.ritense.valtimo:case (Maven) May 6, 2026
Amazon Redshift Vulnerable to Remote Code Execution via Unsafe Class Loading Critical
CVE-2026-8178 was published for com.amazon.redshift:redshift-jdbc42 (Maven) May 14, 2026
Fushuling Credited to Fushuling
Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns Critical
CVE-2026-41901 was published for org.thymeleaf:thymeleaf (Maven) May 4, 2026
cristianstaicu Credited to cristianstaicu
ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases Critical
CVE-2026-44221 was published for com.arcadedb:arcadedb-server (Maven) May 5, 2026
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode) Critical
CVE-2026-45091 was published for io.github.davidalmeidac:sealed-env-core (Maven) May 12, 2026
davidalmeidac Credited to davidalmeidac
Apache Artemis and Apache ActiveMQ Artemis are Missing Authentication for Critical Functions Critical
CVE-2026-27446 was published for org.apache.activemq:artemis-server (Maven) Mar 4, 2026
Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy Critical
CVE-2026-45083 was published for io.goobi.viewer:viewer-core (Maven) May 13, 2026
Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key Critical
CVE-2026-22738 was published for org.springframework.ai:spring-ai-vector-store (Maven) Mar 27, 2026
Mapfish Print: Remote Code Injection (RCE) in Dynamic table Critical
CVE-2026-44672 was published for org.mapfish.print:print-lib (Maven) May 13, 2026
Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation Critical
CVE-2026-27478 was published for io.unitycatalog:unitycatalog-server (Maven) May 11, 2026
lukas-reining Credited to lukas-reining
Eclipse BaSyx Java Server SDK vulnerable to Path Traversal Critical
CVE-2026-7411 was published for org.eclipse.basyx:basyx.sdk (Maven) May 5, 2026
Spring Cloud Config vulnerable to Path Traversal Critical
CVE-2026-40982 was published for org.springframework.cloud:spring-cloud-config-server (Maven) May 7, 2026
Apache Wicket has a Session Fixation issue Critical
CVE-2026-40010 was published for org.apache.wicket:wicket-auth-roles (Maven) May 6, 2026
OpenMRS Module Upload Vulnerable to Path Traversal (Zip Slip) Critical
CVE-2026-40076 was published for org.openmrs.web:openmrs-web (Maven) May 4, 2026
Arron-bit Credited to Arron-bit
Apache Polaris has an Improper Input Validation issue Critical
CVE-2026-42812 was published for org.apache.polaris:polaris-runtime-service (Maven) May 4, 2026
Apache Polaris has an Improper Input Validation issue Critical
CVE-2026-42811 was published for org.apache.polaris:polaris-core (Maven) May 4, 2026
Apache Polaris has an Improper Input Validation Issue Critical
CVE-2026-42810 was published for org.apache.polaris:polaris-core (Maven) May 4, 2026
Apache Polaris has an Improper Input Validation Issue Critical
CVE-2026-42809 was published for org.apache.polaris:polaris-runtime-service (Maven) May 4, 2026
Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest Critical
CVE-2026-42027 was published for org.apache.opennlp:opennlp-tools (Maven) May 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database