GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,297
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
399 advisories
Filter by severity
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login
Low
CVE-2026-48589
was published
for
org.apache.shiro:shiro-jakarta-ee
(Maven)
May 26, 2026
Logback vulnerable to Object Injection through HardenedObjectInputStream modules
Low
CVE-2026-10532
was published
for
ch.qos.logback:logback-core
(Maven)
Jun 1, 2026
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.
Low
CVE-2026-22741
was published
for
org.springframework:spring-webflux
(Maven)
Apr 29, 2026
QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability
Low
CVE-2026-9828
was published
for
ch.qos.logback:logback-core
(Maven)
May 28, 2026
land.oras:oras-java-sdk: Symlink-based path traversal in ArchiveUtils.untar / unzip allows arbitrary file write outside extraction directory
Low
GHSA-j6hm-v3x2-qv6j
was published
for
land.oras:oras-java-sdk
(Maven)
Jul 1, 2026
CrateDB's Blob HTTP handler bypasses authorization
Low
CVE-2026-49989
was published
for
io.crate:crate
(Maven)
Jul 1, 2026
Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header
Low
CVE-2026-44242
was published
for
io.micronaut:micronaut-inject
(Maven)
May 6, 2026
Sigstore Java has a vulnerability with bundle verification of integratedTime
Low
CVE-2026-48791
was published
for
dev.sigstore:sigstore-java
(Maven)
Jun 30, 2026
TCC-TRANSACTION has an Improper Input Validation vulnerability
Low
CVE-2026-9497
was published
for
org.mengyun:tcc-transaction
(Maven)
May 26, 2026
jasypt-spring-boot Uses a One-Way Hash without a Salt
Low
CVE-2026-9370
was published
for
com.github.ulisesbocchio:jasypt-spring-boot
(Maven)
May 26, 2026
Apache Tomcat - Security constraint bypass with HTTP/0.9
Low
CVE-2026-24733
was published
for
org.apache.tomcat:tomcat-coyote
(Maven)
Feb 17, 2026
OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget`
Low
CVE-2026-44793
was published
for
org.openidentityplatform.openam:openam-federation-library
(Maven)
Jun 22, 2026
Keycloak's identity-first login flow exposes user information
Low
CVE-2026-4633
was published
for
org.keycloak:keycloak-services
(Maven)
Mar 23, 2026
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender
Low
CVE-2020-9488
was published
for
org.apache.logging.log4j:log4j
(Maven)
Jun 5, 2020
Apache Spark has Inadequate Encryption Strength
Low
CVE-2025-55039
was published
for
org.apache.spark:spark-network-common_2.12
(Maven)
Oct 15, 2025
Vaadin Build Plugins is Affected by a Possible Information Disclosure Vulnerability
Low
CVE-2026-7860
was published
for
com.vaadin:flow-gradle-plugin
(Maven)
May 19, 2026
Apache Tomcat - AJP secret compared in non-constant time
Low
CVE-2026-43514
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
May 12, 2026
veraPDF CLI has potential XXE (XML External Entity Injection) vulnerability
Low
CVE-2024-52800
was published
for
org.verapdf:core
(Maven)
Dec 2, 2024
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735)
Low
CVE-2026-42578
was published
for
io.netty:netty-handler-proxy
(Maven)
May 7, 2026
Apache Tomcat Vulnerable to Improper Resource Shutdown or Release
Low
CVE-2025-61795
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
Oct 27, 2025
Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences
Low
CVE-2025-55754
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
Oct 27, 2025
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser
Low
CVE-2026-42188
was published
for
org.geysermc.geyser:core
(Maven)
May 5, 2026
xxl-job Jobs Handler remove function allows improper control of resource identifiers via ID parameter
Low
CVE-2025-9264
was published
for
com.xuxueli:xxl-job-admin
(Maven)
Aug 21, 2025
xxl-job Vulnerable to Resource Injection and Authorization Bypass Through User-Controlled Key
Low
CVE-2025-9263
was published
for
com.xuxueli:xxl-job-admin
(Maven)
Aug 21, 2025
xxl-job has Inadequate Encryption Strength
Low
CVE-2025-7789
was published
for
com.xuxueli:xxl-job-admin
(Maven)
Jul 18, 2025
ProTip!
Advisories are also available from the
GraphQL API