Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,430
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,680
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

2,055 advisories

Loading
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API High
CVE-2026-33229 was published for org.xwiki.platform:xwiki-platform-legacy-oldcore (Maven) Apr 8, 2026
azefzafyoussef Credited to azefzafyoussef
Emissary has a Command Injection via PLACE_NAME Configuration in Executrix High
CVE-2026-35581 was published for gov.nsa.emissary:emissary (Maven) Apr 8, 2026
BrennanTM Credited to BrennanTM
Java-SDK has a DNS Rebinding Vulnerability High
CVE-2026-35568 was published for io.modelcontextprotocol.sdk:mcp-core (Maven) Apr 7, 2026
JLLeitschuh Credited to JLLeitschuh
Jackson Core: Document length constraint bypass in blocking, async, and DataInput parsers High
GHSA-2m67-wjpj-xhg9 was published for tools.jackson.core:jackson-core (Maven) Apr 4, 2026
anyzy2003 Credited to anyzy2003
Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw High
CVE-2026-4282 was published for org.keycloak:keycloak-services (Maven) Apr 2, 2026
Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants High
CVE-2026-4636 was published for org.keycloak:keycloak-services (Maven) Apr 2, 2026
Keycloak: Application-Level DoS via Scope Processing High
CVE-2026-4634 was published for org.keycloak:keycloak-services (Maven) Apr 2, 2026
Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint High
CVE-2026-3872 was published for org.keycloak:keycloak-services (Maven) Apr 2, 2026
HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect High
CVE-2026-34359 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON High
CVE-2026-34214 was published for io.trino:trino-iceberg (Maven) Mar 29, 2026
findinpath Credited to findinpath, ebyhr, chenjian2664, losipiuk, and findepi ebyhr ebyhr
chenjian2664 chenjian2664 losipiuk losipiuk findepi findepi
AWS SDK for Java 2.0: Improper Handling of Special Characters in CloudFront Signing Utilities High
GHSA-443w-3rq3-5m5h was published for software.amazon.awssdk:cloudfront (Maven) Mar 27, 2026
Undertow is Vulnerable to HTTP Request/Response Smuggling High
CVE-2026-28369 was published for io.undertow:undertow-parent (Maven) Mar 27, 2026
Undertow is Vulnerable to HTTP Request/Response Smuggling High
CVE-2026-28368 was published for io.undertow:undertow-parent (Maven) Mar 27, 2026
Undertow is Vulnerable to HTTP Request/Response Smuggling High
CVE-2026-28367 was published for io.undertow:undertow-parent (Maven) Mar 27, 2026
Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters High
CVE-2026-22744 was published for org.springframework.ai:spring-ai-redis-store (Maven) Mar 27, 2026
Spring AI has a Cypher Injection vulnerability in Neo4jVectorFilterExpressionConverter High
CVE-2026-22743 was published for org.springframework.ai:spring-ai-neo4j-store (Maven) Mar 27, 2026
Spring AI: Insufficient Validation causes SSRF when processing multimodal messages with user-supplied URLs High
CVE-2026-22742 was published for org.springframework.ai:spring-ai-bedrock-converse (Maven) Mar 27, 2026
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass High
CVE-2026-33871 was published for io.netty:netty-codec-http2 (Maven) Mar 26, 2026
sprabhav7 Credited to sprabhav7
Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-33870 was published for io.netty:netty-codec-http (Maven) Mar 26, 2026
xclow3n Credited to xclow3n
pf4j is vulnerable to Path Traversal or Zip Slip attack through improper handling of zip entry names High
CVE-2025-70952 was published for org.pf4j:pf4j (Maven) Mar 25, 2026
Plexus-Utils has a Directory Traversal vulnerability in its extractFile method High
CVE-2025-67030 was published for org.codehaus.plexus:plexus-utils (Maven) Mar 25, 2026
Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access High
CVE-2026-22739 was published for org.springframework.cloud:spring-cloud-config-server (Maven) Mar 24, 2026
Spring Boot has an Authentication Bypass under Actuator Health groups paths High
CVE-2026-22731 was published for org.springframework.boot:spring-boot-starter-actuator (Maven) Mar 20, 2026
Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints High
CVE-2026-22733 was published for org.springframework.boot:spring-boot-starter-actuator (Maven) Mar 20, 2026
Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers) High
CVE-2026-33166 was published for io.qameta.allure:allure-generator (Maven) Mar 18, 2026
ThanosTsiamis Credited to ThanosTsiamis and baev baev baev
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database