GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,297
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
14 advisories
Filter by severity
Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates
Moderate
CVE-2026-47838
was published
for
org.springframework.security:spring-security-web
(Maven)
Jun 10, 2026
In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header
Moderate
CVE-2026-41726
was published
for
org.springframework.kafka:spring-kafka
(Maven)
Jun 10, 2026
Vert.x has a DoS via unbounded server-side SNI SslContext cache growth
Moderate
CVE-2026-6860
was published
for
io.vertx:vertx-core
(Maven)
May 9, 2026
Duplicate Advisory: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
Low
GHSA-qmq6-f8pr-cx5x
was published
for
uuid
(npm)
Apr 23, 2026
•
withdrawn
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
Moderate
CVE-2026-41907
was published
for
uuid
(npm)
Apr 22, 2026
Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests
Moderate
CVE-2026-3260
was published
for
io.undertow:undertow-core
(Maven)
Mar 24, 2026
Keycloak's identity-first login flow exposes user information
Low
CVE-2026-4633
was published
for
org.keycloak:keycloak-services
(Maven)
Mar 23, 2026
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
Low
CVE-2026-27942
was published
for
fast-xml-parser
(npm)
Feb 26, 2026
Keycloak logs sensitive headers
Moderate
CVE-2025-11537
was published
for
org.keycloak:keycloak-quarkus-server
(Maven)
Feb 10, 2026
Keycloak services allows the issuance of access and refresh tokens for disabled users
Moderate
CVE-2025-14559
was published
for
org.keycloak:keycloak-services
(Maven)
Jan 21, 2026
Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions
Low
CVE-2025-14082
was published
for
org.keycloak:keycloak-services
(Maven)
Dec 10, 2025
Duplicate Advisory: Keycloak error_description injection on error pages that can trigger phishing attacks
Moderate
GHSA-xmcw-mv9p-7pq2
was published
for
org.keycloak:keycloak-account-ui
(Maven)
Sep 5, 2025
•
withdrawn
DOMPurify allows Cross-site Scripting (XSS)
Moderate
CVE-2025-26791
was published
for
dompurify
(npm)
Feb 14, 2025
ProTip!
Advisories are also available from the
GraphQL API