GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
399 advisories
Filter by severity
land.oras:oras-java-sdk: Symlink-based path traversal in ArchiveUtils.untar / unzip allows arbitrary file write outside extraction directory
Low
GHSA-j6hm-v3x2-qv6j
was published
for
land.oras:oras-java-sdk
(Maven)
Jul 1, 2026
CrateDB's Blob HTTP handler bypasses authorization
Low
CVE-2026-49989
was published
for
io.crate:crate
(Maven)
Jul 1, 2026
Sigstore Java has a vulnerability with bundle verification of integratedTime
Low
CVE-2026-48791
was published
for
dev.sigstore:sigstore-java
(Maven)
Jun 30, 2026
OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget`
Low
CVE-2026-44793
was published
for
org.openidentityplatform.openam:openam-federation-library
(Maven)
Jun 22, 2026
Logback vulnerable to Object Injection through HardenedObjectInputStream modules
Low
CVE-2026-10532
was published
for
ch.qos.logback:logback-core
(Maven)
Jun 1, 2026
QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability
Low
CVE-2026-9828
was published
for
ch.qos.logback:logback-core
(Maven)
May 28, 2026
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login
Low
CVE-2026-48589
was published
for
org.apache.shiro:shiro-jakarta-ee
(Maven)
May 26, 2026
TCC-TRANSACTION has an Improper Input Validation vulnerability
Low
CVE-2026-9497
was published
for
org.mengyun:tcc-transaction
(Maven)
May 26, 2026
jasypt-spring-boot Uses a One-Way Hash without a Salt
Low
CVE-2026-9370
was published
for
com.github.ulisesbocchio:jasypt-spring-boot
(Maven)
May 26, 2026
Vaadin Build Plugins is Affected by a Possible Information Disclosure Vulnerability
Low
CVE-2026-7860
was published
for
com.vaadin:flow-gradle-plugin
(Maven)
May 19, 2026
Apache Tomcat - AJP secret compared in non-constant time
Low
CVE-2026-43514
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
May 12, 2026
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735)
Low
CVE-2026-42578
was published
for
io.netty:netty-handler-proxy
(Maven)
May 7, 2026
OpenSearch has ineffective TLS certificate hostname verification
Low
GHSA-x5hg-x4gv-j98m
was published
for
org.opensearch.plugin:opensearch-security
(Maven)
May 7, 2026
OpenSearch vulnerable to improper authorization for Rollover Requests
Low
GHSA-22vx-2x23-98w6
was published
for
org.opensearch.plugin:opensearch-security
(Maven)
May 7, 2026
OpenSearch has a bypass of REST Layer Authorization Using Malformed Paths
Low
GHSA-83x9-vc3c-hghc
was published
for
org.opensearch.plugin:opensearch-security
(Maven)
May 7, 2026
Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header
Low
CVE-2026-44242
was published
for
io.micronaut:micronaut-inject
(Maven)
May 6, 2026
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser
Low
CVE-2026-42188
was published
for
org.geysermc.geyser:core
(Maven)
May 5, 2026
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.
Low
CVE-2026-22741
was published
for
org.springframework:spring-webflux
(Maven)
Apr 29, 2026
xxl-job has a Resource Injection issue
Low
CVE-2026-7303
was published
for
com.xuxueli:xxl-job-admin
(Maven)
Apr 29, 2026
Spring gRPC AuthenticationException messages are reflected to remote client
Low
CVE-2026-40969
was published
for
org.springframework.grpc:spring-grpc
(Maven)
Apr 28, 2026
Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider
Low
CVE-2026-22746
was published
for
org.springframework.security:spring-security-core
(Maven)
Apr 22, 2026
Warm-Flow has a SpEL Expression Injection in SpelHelper.parseExpression
Low
CVE-2026-6125
was published
for
org.dromara.warm:warm-flow-plugin-modes-sb
(Maven)
Apr 12, 2026
Apache Cassandra has an authenticated DoS over CQL
Low
CVE-2026-32588
was published
for
org.apache.cassandra:cassandra-all
(Maven)
Apr 7, 2026
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim
Low
CVE-2026-37977
was published
for
org.keycloak:keycloak-services
(Maven)
Apr 6, 2026
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation
Low
CVE-2026-4874
was published
for
org.keycloak:keycloak-services
(Maven)
Mar 26, 2026
ProTip!
Advisories are also available from the
GraphQL API