Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

390 advisories

Loading
Apache Tomcat - AJP secret compared in non-constant time Low
CVE-2026-43514 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735) Low
CVE-2026-42578 was published for io.netty:netty-handler-proxy (Maven) May 7, 2026
August829 Credited to August829
OpenSearch has ineffective TLS certificate hostname verification Low
GHSA-x5hg-x4gv-j98m was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
OpenSearch vulnerable to improper authorization for Rollover Requests Low
GHSA-22vx-2x23-98w6 was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
OpenSearch has a bypass of REST Layer Authorization Using Malformed Paths Low
GHSA-83x9-vc3c-hghc was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header Low
CVE-2026-44242 was published for io.micronaut:micronaut-inject (Maven) May 6, 2026
offset Credited to offset
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser Low
CVE-2026-42188 was published for org.geysermc.geyser:core (Maven) May 5, 2026
shibata-yudai Credited to shibata-yudai and onebeastchris onebeastchris onebeastchris
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. Low
CVE-2026-22741 was published for org.springframework:spring-webflux (Maven) Apr 29, 2026
Spring Framework DoS with Multipart Temp Files in WebFlux Low
CVE-2026-22740 was published for org.springframework:spring-webflux (Maven) Apr 29, 2026
xxl-job has a Resource Injection issue Low
CVE-2026-7303 was published for com.xuxueli:xxl-job-admin (Maven) Apr 29, 2026
Spring gRPC AuthenticationException messages are reflected to remote client Low
CVE-2026-40969 was published for org.springframework.grpc:spring-grpc (Maven) Apr 28, 2026
Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider Low
CVE-2026-22746 was published for org.springframework.security:spring-security-core (Maven) Apr 22, 2026
Warm-Flow has a SpEL Expression Injection in SpelHelper.parseExpression Low
CVE-2026-6125 was published for org.dromara.warm:warm-flow-plugin-modes-sb (Maven) Apr 12, 2026
Apache Cassandra has an authenticated DoS over CQL Low
CVE-2026-32588 was published for org.apache.cassandra:cassandra-all (Maven) Apr 7, 2026
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim Low
CVE-2026-37977 was published for org.keycloak:keycloak-services (Maven) Apr 6, 2026
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation Low
CVE-2026-4874 was published for org.keycloak:keycloak-services (Maven) Mar 26, 2026
krapovneru Credited to krapovneru and dnegreira dnegreira dnegreira
Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol Low
CVE-2026-32642 was published for org.apache.activemq:artemis-openwire-protocol (Maven) Mar 24, 2026
Keycloak's identity-first login flow exposes user information Low
CVE-2026-4633 was published for org.keycloak:keycloak-services (Maven) Mar 23, 2026
dnegreira Credited to dnegreira
Spring MVC and WebFlux has Server Sent Event stream corruption Low
CVE-2026-22735 was published for org.springframework:spring-webflux (Maven) Mar 20, 2026
Keycloak vulnerable to authorization bypass via the Admin API Low
CVE-2026-2366 was published for @keycloak/keycloak-admin-client (Maven) Mar 12, 2026
Keycloak: Information disclosure of disabled user attributes via administrative endpoint Low
CVE-2026-3911 was published for org.keycloak:keycloak-services (Maven) Mar 11, 2026
Vaadin: Specially crafted ZIP archives can escape the intended extraction directory Low
CVE-2026-2741 was published for com.vaadin:flow-project (Maven) Mar 10, 2026
org.eclipse.jetty:jetty-http has different parsing of invalid URIs Low
CVE-2025-11143 was published for org.eclipse.jetty:jetty-http (Maven) Mar 5, 2026
zer0yu Credited to zer0yu and P3ngu1nW P3ngu1nW P3ngu1nW
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass Low
CVE-2025-12150 was published for org.keycloak:keycloak-services (Maven) Feb 27, 2026
Snowflake JDBC Driver is Vulnerable to Uncontrolled Resource Consumption through SdkProxyRoutePlanner Low
CVE-2026-3293 was published for net.snowflake:snowflake-jdbc (Maven) Feb 27, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database