Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

399 advisories

Loading
tonghuaroot Credited to tonghuaroot and jonesbusy jonesbusy jonesbusy
CrateDB's Blob HTTP handler bypasses authorization Low
CVE-2026-49989 was published for io.crate:crate (Maven) Jul 1, 2026
fab1ano Credited to fab1ano and matriv matriv matriv
Sigstore Java has a vulnerability with bundle verification of integratedTime Low
CVE-2026-48791 was published for dev.sigstore:sigstore-java (Maven) Jun 30, 2026
OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget` Low
CVE-2026-44793 was published for org.openidentityplatform.openam:openam-federation-library (Maven) Jun 22, 2026
gujjuboy10x00 Credited to gujjuboy10x00
Logback vulnerable to Object Injection through HardenedObjectInputStream modules Low
CVE-2026-10532 was published for ch.qos.logback:logback-core (Maven) Jun 1, 2026
QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability Low
CVE-2026-9828 was published for ch.qos.logback:logback-core (Maven) May 28, 2026
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login Low
CVE-2026-48589 was published for org.apache.shiro:shiro-jakarta-ee (Maven) May 26, 2026
yeikel Credited to yeikel
TCC-TRANSACTION has an Improper Input Validation vulnerability Low
CVE-2026-9497 was published for org.mengyun:tcc-transaction (Maven) May 26, 2026
jasypt-spring-boot Uses a One-Way Hash without a Salt Low
CVE-2026-9370 was published for com.github.ulisesbocchio:jasypt-spring-boot (Maven) May 26, 2026
Vaadin Build Plugins is Affected by a Possible Information Disclosure Vulnerability Low
CVE-2026-7860 was published for com.vaadin:flow-gradle-plugin (Maven) May 19, 2026
Apache Tomcat - AJP secret compared in non-constant time Low
CVE-2026-43514 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735) Low
CVE-2026-42578 was published for io.netty:netty-handler-proxy (Maven) May 7, 2026
August829 Credited to August829
OpenSearch has ineffective TLS certificate hostname verification Low
GHSA-x5hg-x4gv-j98m was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
OpenSearch vulnerable to improper authorization for Rollover Requests Low
GHSA-22vx-2x23-98w6 was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
OpenSearch has a bypass of REST Layer Authorization Using Malformed Paths Low
GHSA-83x9-vc3c-hghc was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
offset Credited to offset, jojojo8359, and smallex jojojo8359 jojojo8359
smallex smallex
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser Low
CVE-2026-42188 was published for org.geysermc.geyser:core (Maven) May 5, 2026
shibata-yudai Credited to shibata-yudai and onebeastchris onebeastchris onebeastchris
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. Low
CVE-2026-22741 was published for org.springframework:spring-webflux (Maven) Apr 29, 2026
yuki-matsuhashi Credited to yuki-matsuhashi
xxl-job has a Resource Injection issue Low
CVE-2026-7303 was published for com.xuxueli:xxl-job-admin (Maven) Apr 29, 2026
Spring gRPC AuthenticationException messages are reflected to remote client Low
CVE-2026-40969 was published for org.springframework.grpc:spring-grpc (Maven) Apr 28, 2026
Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider Low
CVE-2026-22746 was published for org.springframework.security:spring-security-core (Maven) Apr 22, 2026
Warm-Flow has a SpEL Expression Injection in SpelHelper.parseExpression Low
CVE-2026-6125 was published for org.dromara.warm:warm-flow-plugin-modes-sb (Maven) Apr 12, 2026
Apache Cassandra has an authenticated DoS over CQL Low
CVE-2026-32588 was published for org.apache.cassandra:cassandra-all (Maven) Apr 7, 2026
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim Low
CVE-2026-37977 was published for org.keycloak:keycloak-services (Maven) Apr 6, 2026
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation Low
CVE-2026-4874 was published for org.keycloak:keycloak-services (Maven) Mar 26, 2026
krapovneru Credited to krapovneru and dnegreira dnegreira dnegreira
ProTip! Advisories are also available from the GraphQL API