Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,143 advisories

Loading
OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users High
CVE-2026-46481 was published for org.open-metadata:openmetadata-service (Maven) May 21, 2026
JorgeCampoverdeA Credited to JorgeCampoverdeA
camel-infinispan Vulnerable to Deserialization of Untrusted Data High
CVE-2026-6857 was published for org.apache.camel:camel-infinispan (Maven) Apr 22, 2026
Uncontrolled Resource Consumption in FasterXML jackson-databind High
CVE-2022-42004 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Oct 3, 2022
AdamKorcz Credited to AdamKorcz, sonnyhcl, sunSUNQ, pjfanning, and albertabiev1 sonnyhcl sonnyhcl
sunSUNQ sunSUNQ pjfanning pjfanning albertabiev1 albertabiev1
hjson stack exhaustion vulnerability High
CVE-2023-34620 was published for github.com/hjson/hjson-go/v4 (Composer) Jun 14, 2023
achibear Credited to achibear
Apache Tomcat: Configured cipher preference order not preserved High
CVE-2026-29129 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
aruneko Credited to aruneko
Potential remote code execution in Apache Tomcat High
CVE-2020-9484 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 21, 2020
sunSUNQ Credited to sunSUNQ and aruneko aruneko aruneko
Apache Tomcat has an HTTP Request/Response Smuggling vulnerability High
CVE-2026-24880 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94 and aruneko aruneko aruneko
Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Tomcat High
CVE-2020-13934 was published for org.apache.tomcat:tomcat (Maven) Feb 8, 2022
aruneko Credited to aruneko
Apache Tomcat Denial of Service vulnerability High
CVE-2019-0199 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Jun 15, 2020
aruneko Credited to aruneko
Keycloak: Unauthorized authentication via disabled SAML Identity Provider High
CVE-2026-2603 was published for org.keycloak:keycloak-server-spi-private (Maven) Mar 18, 2026
ig596 Credited to ig596 and sekveaja sekveaja sekveaja
Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-2332 was published for org.eclipse.jetty:jetty-http (Maven) Apr 14, 2026
xclow3n Credited to xclow3n, jhy, and tlarionova-max jhy jhy
tlarionova-max tlarionova-max
Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service High
CVE-2026-45799 was published for com.squareup.wire:wire-runtime (Maven) May 19, 2026
TrekLaps Credited to TrekLaps
ORAS Java: Path traversal in pullArtifact via attacker-controlled org.opencontainers.image.title annotation High
GHSA-xm96-gfjx-jcrc was published for land.oras:oras-java-sdk (Maven) May 19, 2026
ChipWolf Credited to ChipWolf and jonesbusy jonesbusy jonesbusy
Apache Tomcat: LockOutRealm treats user names as case-sensitive High
CVE-2026-43513 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Apache Tomcat - WebSocket authentication header exposure High
CVE-2026-42498 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling High
CVE-2026-41284 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint High
CVE-2026-45367 was published for ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (Maven) May 18, 2026
offset Credited to offset
Spring AI: Prompt Injection via Memory Poisoning in PromptChatMemoryAdvisor High
CVE-2026-41713 was published for org.springframework.ai:spring-ai-client-chat (Maven) May 12, 2026
Spring AI: ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage High
CVE-2026-41712 was published for org.springframework.ai:spring-ai-advisors-vector-store (Maven) May 12, 2026
async-http-client: Cookie header not stripped on cross-origin redirect High
CVE-2026-45300 was published for org.asynchttpclient:async-http-client (Maven) May 18, 2026
tndud042713 Credited to tndud042713
Duplicate Advisory: Wildfly Elytron integration susceptible to brute force attacks via CLI High
GHSA-3jxr-23ph-c89g was published for org.wildfly.core:wildfly-elytron-integration (Maven) Mar 4, 2025 withdrawn
Spring AI MCP Security: Unvalidated URL Fetching (SSRF) High
CVE-2026-45609 was published for org.springaicommunity:mcp-client-security (Maven) May 18, 2026
srikanthramu Credited to srikanthramu
bitcoinj has a ScriptExecution P2PKH/P2WPKH Verification Bypass High
CVE-2026-44714 was published for org.bitcoinj:bitcoinj-core (Maven) May 8, 2026
jmecom Credited to jmecom, msgilligan, and schildbach msgilligan msgilligan
schildbach schildbach
Improper Verification of Cryptographic Signature in com.oviva.telematik:epa4all-client High
CVE-2026-45575 was published for com.oviva.telematik:epa4all-client (Maven) May 15, 2026
snomi Credited to snomi and Volcore Volcore Volcore
epa4all-client: TLS Certificate Validation Disabled in Production High
CVE-2026-45574 was published for com.oviva.telematik:epa4all-client (Maven) May 15, 2026
snomi Credited to snomi and Volcore Volcore Volcore
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database