Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,623
Maven
5,000+
npm
5,000+
NuGet
927
pip
4,843
Pub
13
RubyGems
1,045
Rust
1,271
Swift
53
Unreviewed advisories
All unreviewed
5,000+

853 advisories

Loading
fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE Critical
CVE-2026-41586 was published for org.hyperledger.fabric-sdk-java:fabric-sdk-java (Maven) Apr 29, 2026
brodmart Credited to brodmart
Spinnaker: RCE via expression parsing due to unrestricted context handling Critical
CVE-2026-32613 was published for io.spinnaker.echo:echo-pipelinetriggers (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths Critical
CVE-2026-32604 was published for io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
Apache Struts Remote Java Code Execution Critical
CVE-2012-0391 was published for org.apache.struts.xwork:xwork-core (Maven) May 4, 2022
sunSUNQ Credited to sunSUNQ
thenify before 3.3.1 made use of unsafe calls to `eval`. Critical
CVE-2020-7677 was published for org.webjars.npm:thenify (Maven) Jul 18, 2022
Wenxin-Jiang Credited to Wenxin-Jiang
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf Critical
CVE-2026-40478 was published for org.thymeleaf:thymeleaf (Maven) Apr 15, 2026
Improper restriction of the scope of accessible objects in Thymeleaf expressions Critical
CVE-2026-40477 was published for org.thymeleaf:thymeleaf (Maven) Apr 15, 2026
Expression Injection in OpenRemote Critical
CVE-2026-39842 was published for io.openremote:openremote-manager (Maven) Apr 14, 2026
qxyuan853 Credited to qxyuan853
Apache Kafka does not validate JWT tokens in its OAUTHBEARER authentication implementation Critical
CVE-2026-33557 was published for org.apache.kafka:kafka-clients (Maven) Apr 20, 2026
corenlp is vulnerable to Improper Restriction of XML External Entity Reference Critical
CVE-2022-0239 was published for edu.stanford.nlp:stanford-corenlp (Maven) Jan 21, 2022
RainSignal Credited to RainSignal
Apache Tomcat: CLIENT_CERT authentication does not fail as expected Critical
CVE-2026-29145 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
Emissary has GitHub Actions Shell Injection via Workflow Inputs Critical
CVE-2026-35580 was published for gov.nsa.emissary:emissary (Maven) Apr 8, 2026
BrennanTM Credited to BrennanTM
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM Critical
CVE-2026-33439 was published for org.openidentityplatform.openam:openam (Maven) Apr 7, 2026
iamnoooob Credited to iamnoooob and hacktronai-research hacktronai-research hacktronai-research
FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft Critical
CVE-2026-34361 was published for ca.uhn.hapi.fhir:org.hl7.fhir.validation (Maven) Mar 30, 2026
offset Credited to offset
Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key Critical
CVE-2026-22738 was published for org.springframework.ai:spring-ai-vector-store (Maven) Mar 27, 2026
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution Critical
CVE-2026-33728 was published for com.datadoghq:dd-java-agent (Maven) Mar 26, 2026
amine123ait Credited to amine123ait
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution Critical
CVE-2026-33701 was published for io.opentelemetry.javaagent:opentelemetry-javaagent (Maven) Mar 25, 2026
splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution Critical
GHSA-h8w2-rv57-vc6f was published for com.splunk:splunk-otel-javaagent (Maven) Mar 26, 2026
HAPI FHIR HTTP authentication leak in redirects Critical
CVE-2026-33180 was published for ca.uhn.hapi.fhir:org.hl7.fhir.convertors (Maven) Mar 18, 2026
ElliotSilver Credited to ElliotSilver
Liferay Portal has a Stored XSS with Blog entries (Insecure defaults) Critical
CVE-2024-25610 was published for com.liferay.portal:com.liferay.portal.web (Maven) Feb 20, 2024
org.postgresql:postgresql vulnerable to SQL Injection via line comment generation Critical
CVE-2024-1597 was published for org.postgresql:postgresql (Maven) Feb 21, 2024
paul-gerste-sonarsource Credited to paul-gerste-sonarsource
Liferay Portal and Liferay DXP's Users Admin module vulnerable to stored Cross-site Scripting Critical
CVE-2024-25602 was published for com.liferay.portal:release.dxp.bom (Maven) Feb 21, 2024
Liferay Portal Message Board widget and Liferay DXP vulnerable to stored Cross-site Scripting Critical
CVE-2024-25152 was published for com.liferay.portal:release.dxp.bom (Maven) Feb 21, 2024
Liferay Portal Expando module and Liferay DXP vulnerable to stored Cross-site Scripting Critical
CVE-2024-25601 was published for com.liferay.portal:release.dxp.bom (Maven) Feb 21, 2024
Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting Critical
CVE-2024-25147 was published for com.liferay.portal:release.dxp.bom (Maven) Feb 21, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database