Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

399 advisories

Loading
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login Low
CVE-2026-48589 was published for org.apache.shiro:shiro-jakarta-ee (Maven) May 26, 2026
yeikel Credited to yeikel
Logback vulnerable to Object Injection through HardenedObjectInputStream modules Low
CVE-2026-10532 was published for ch.qos.logback:logback-core (Maven) Jun 1, 2026
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. Low
CVE-2026-22741 was published for org.springframework:spring-webflux (Maven) Apr 29, 2026
yuki-matsuhashi Credited to yuki-matsuhashi
QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability Low
CVE-2026-9828 was published for ch.qos.logback:logback-core (Maven) May 28, 2026
tonghuaroot Credited to tonghuaroot and jonesbusy jonesbusy jonesbusy
CrateDB's Blob HTTP handler bypasses authorization Low
CVE-2026-49989 was published for io.crate:crate (Maven) Jul 1, 2026
fab1ano Credited to fab1ano and matriv matriv matriv
offset Credited to offset, jojojo8359, and smallex jojojo8359 jojojo8359
smallex smallex
Sigstore Java has a vulnerability with bundle verification of integratedTime Low
CVE-2026-48791 was published for dev.sigstore:sigstore-java (Maven) Jun 30, 2026
TCC-TRANSACTION has an Improper Input Validation vulnerability Low
CVE-2026-9497 was published for org.mengyun:tcc-transaction (Maven) May 26, 2026
jasypt-spring-boot Uses a One-Way Hash without a Salt Low
CVE-2026-9370 was published for com.github.ulisesbocchio:jasypt-spring-boot (Maven) May 26, 2026
Apache Tomcat - Security constraint bypass with HTTP/0.9 Low
CVE-2026-24733 was published for org.apache.tomcat:tomcat-coyote (Maven) Feb 17, 2026
Jenson3210 Credited to Jenson3210 and yusuke-koyoshi yusuke-koyoshi yusuke-koyoshi
OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget` Low
CVE-2026-44793 was published for org.openidentityplatform.openam:openam-federation-library (Maven) Jun 22, 2026
gujjuboy10x00 Credited to gujjuboy10x00
Keycloak's identity-first login flow exposes user information Low
CVE-2026-4633 was published for org.keycloak:keycloak-services (Maven) Mar 23, 2026
dnegreira Credited to dnegreira and julianladisch julianladisch julianladisch
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender Low
CVE-2020-9488 was published for org.apache.logging.log4j:log4j (Maven) Jun 5, 2020
DmitriyLewen Credited to DmitriyLewen
Apache Spark has Inadequate Encryption Strength Low
CVE-2025-55039 was published for org.apache.spark:spark-network-common_2.12 (Maven) Oct 15, 2025
Vaadin Build Plugins is Affected by a Possible Information Disclosure Vulnerability Low
CVE-2026-7860 was published for com.vaadin:flow-gradle-plugin (Maven) May 19, 2026
Apache Tomcat - AJP secret compared in non-constant time Low
CVE-2026-43514 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
veraPDF CLI has potential XXE (XML External Entity Injection) vulnerability Low
CVE-2024-52800 was published for org.verapdf:core (Maven) Dec 2, 2024
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735) Low
CVE-2026-42578 was published for io.netty:netty-handler-proxy (Maven) May 7, 2026
August829 Credited to August829
Apache Tomcat Vulnerable to Improper Resource Shutdown or Release Low
CVE-2025-61795 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Oct 27, 2025
tkwilli94 Credited to tkwilli94
Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences Low
CVE-2025-55754 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Oct 27, 2025
aruneko Credited to aruneko
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser Low
CVE-2026-42188 was published for org.geysermc.geyser:core (Maven) May 5, 2026
shibata-yudai Credited to shibata-yudai and onebeastchris onebeastchris onebeastchris
xxl-job Jobs Handler remove function allows improper control of resource identifiers via ID parameter Low
CVE-2025-9264 was published for com.xuxueli:xxl-job-admin (Maven) Aug 21, 2025
xxl-job Vulnerable to Resource Injection and Authorization Bypass Through User-Controlled Key Low
CVE-2025-9263 was published for com.xuxueli:xxl-job-admin (Maven) Aug 21, 2025
xxl-job has Inadequate Encryption Strength Low
CVE-2025-7789 was published for com.xuxueli:xxl-job-admin (Maven) Jul 18, 2025
ProTip! Advisories are also available from the GraphQL API