Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,193
Erlang
25
GitHub Actions
39
Go
2,386
Maven
3,027
npm
3,081
NuGet
529
pip
2,899
Pub
5
RubyGems
444
Rust
905
Swift
20
Unreviewed advisories
All unreviewed
5,000+

3,027 advisories

Loading
OpenRemote has Improper Access Control via updateUserRealmRoles function High
CVE-2026-41166 was published for io.openremote:openremote-manager (Maven) Apr 22, 2026
KKC73 Credited to KKC73
Spinnaker: RCE via expression parsing due to unrestricted context handling Critical
CVE-2026-32613 was published for io.spinnaker.echo:echo-pipelinetriggers (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths Critical
CVE-2026-32604 was published for io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
Bouncy Castle Uncontrolled Resource Consumption vulnerability High
CVE-2026-3505 was published for org.bouncycastle:bcpg-jdk12 (Maven) Apr 17, 2026
Bouncy Castle has an LDAP injection Moderate
CVE-2026-0636 was published for org.bouncycastle:bcprov-jdk14 (Maven) Apr 17, 2026
PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability High
CVE-2026-40458 was published for org.pac4j:pac4j-core (Maven) Apr 17, 2026
Hibernate vulnerable to SQL Injection High
CVE-2026-0603 was published for org.hibernate:hibernate-core (Maven) Jan 23, 2026
kmoens Credited to kmoens
SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information High
CVE-2026-30778 was published for org.apache.skywalking:server-core (Maven) Apr 16, 2026
Spring Boot has an Authentication Bypass under Actuator Health groups paths High
CVE-2026-22731 was published for org.springframework.boot:spring-boot-starter-actuator (Maven) Mar 20, 2026
Authenticated Apache ActiveMQ Broker and Apache ActiveMQ users could perform RCE via Jolokia MBeans High
CVE-2026-34197 was published for org.apache.activemq:activemq-all (Maven) Apr 7, 2026
filipecamargos Credited to filipecamargos
Data Sharing Framework is Missing Session Timeout for OIDC Sessions Moderate
CVE-2026-40939 was published for dev.dsf:dsf-bpe-server (Maven) Apr 15, 2026
Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules Moderate
CVE-2026-5588 was published for org.bouncycastle:bcpkix-debug-jdk14 (Maven) Apr 15, 2026
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping High
GHSA-vp6r-9m58-5xv8 was published for org.omnifaces:omnifaces (Maven) Apr 16, 2026
clapbr Credited to clapbr
Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix Moderate
GHSA-hf5p-q87m-crj7 was published for com.github.junrar:junrar (Maven) Apr 16, 2026
subbudvk Credited to subbudvk
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService Moderate
CVE-2026-34164 was published for com.ritense.valtimo:inbox (Maven) Apr 16, 2026
Keycloak: Unauthorized authentication via disabled SAML Identity Provider High
CVE-2026-2603 was published for org.keycloak:keycloak-server-spi-private (Maven) Mar 18, 2026
ig596 Credited to ig596
Jakarta Mail vulnerable to SMTP Injection Moderate
CVE-2025-7962 was published for com.sun.mail:jakarta.mail (Maven) Jul 21, 2025
kmoens Credited to kmoens
JSON-lib mishandles an unbalanced comment string Moderate
CVE-2024-47855 was published for net.sf.json-lib:json-lib (Maven) Oct 4, 2024
kmoens Credited to kmoens
Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page Moderate
CVE-2026-37980 was published for org.keycloak:keycloak-services (Maven) Apr 14, 2026
Apache Tomcat has an Improper Input Validation vulnerability Moderate
CVE-2026-32990 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94
Apache Tomcat has an HTTP Request/Response Smuggling vulnerability High
CVE-2026-24880 was published for org.apache.tomcat:tomcat (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94
Apache Tomcat Missing Encryption of Sensitive Data vulnerability High
CVE-2026-34486 was published for org.apache.tomcat:tomcat (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94
Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor High
CVE-2026-29146 was published for org.apache.tomcat:tomcat (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94
OpenRemote has XXE in Velbus Asset Import High
CVE-2026-40882 was published for io.openremote:openremote-manager (Maven) Apr 15, 2026
KKC73 Credited to KKC73
AsyncHttpClient leaks authorization credentialsto untrusted domains on cross-origin redirects Moderate
CVE-2026-40490 was published for org.asynchttpclient:async-http-client (Maven) Apr 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database