Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

6,443 advisories

Loading
appsmith has SQL Injection in FilterDataService via Unsafe DROP TABLE Execution High
GHSA-h8cj-hpmg-636v was published for com.appsmith:interfaces (Maven) Apr 29, 2026
liyander Credited to liyander
fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE Critical
CVE-2026-41586 was published for org.hyperledger.fabric-sdk-java:fabric-sdk-java (Maven) Apr 29, 2026
brodmart Credited to brodmart
Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization High
CVE-2026-33524 was published for io.github.ndsev:zserio-runtime (Maven) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
Apktool: Path Traversal to Arbitrary File Write High
CVE-2026-39973 was published for org.apktool:apktool-lib (Maven) Apr 23, 2026
caveeroo Credited to caveeroo and IgorEisberg IgorEisberg IgorEisberg
Silverpeas Core has a reflected cross-site scripting vulnerability Moderate
CVE-2026-30139 was published for org.silverpeas.core:silverpeas-core-war (Maven) Apr 22, 2026
camel-infinispan Vulnerable to Deserialization of Untrusted Data High
CVE-2026-6857 was published for org.apache.camel:camel-infinispan (Maven) Apr 22, 2026
OpenRemote has Improper Access Control via updateUserRealmRoles function High
CVE-2026-41166 was published for io.openremote:openremote-manager (Maven) Apr 22, 2026
KKC73 Credited to KKC73
Apache HttpClient accepts SCRAM-SHA-256 authentication without proper mutual authentication verification High
CVE-2026-40542 was published for org.apache.httpcomponents.client5:httpclient5 (Maven) Apr 22, 2026
Spring Security Doesn't Correctly Include Servlet Path in Path Matching of HttpSecurity#securityMatchers High
CVE-2026-22753 was published for org.springframework.security:spring-security-config (Maven) Apr 22, 2026
Spring Security Doesn't Correctly Include Servlet Path in Path Matching of XML Authorization Rules High
CVE-2026-22754 was published for org.springframework.security:spring-security-config (Maven) Apr 22, 2026
Spring Security has Potential Security Misconfiguration when Using withIssuerLocation Moderate
CVE-2026-22748 was published for org.springframework.security:spring-security-oauth2-jose (Maven) Apr 22, 2026
Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider Low
CVE-2026-22746 was published for org.springframework.security:spring-security-core (Maven) Apr 22, 2026
Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates Moderate
CVE-2026-22747 was published for org.springframework.security:spring-security-web (Maven) Apr 22, 2026
Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured Moderate
CVE-2026-22751 was published for org.springframework.security:spring-security-core (Maven) Apr 21, 2026
Spinnaker: RCE via expression parsing due to unrestricted context handling Critical
CVE-2026-32613 was published for io.spinnaker.echo:echo-pipelinetriggers (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths Critical
CVE-2026-32604 was published for io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
Apache Kafka exposes sensitive information in its DEBUG logs Moderate
CVE-2026-33558 was published for org.apache.kafka:kafka-clients (Maven) Apr 20, 2026
Apache Kafka does not validate JWT tokens in its OAUTHBEARER authentication implementation Critical
CVE-2026-33557 was published for org.apache.kafka:kafka-clients (Maven) Apr 20, 2026
Bouncy Castle Uncontrolled Resource Consumption vulnerability High
CVE-2026-3505 was published for org.bouncycastle:bcpg-jdk12 (Maven) Apr 17, 2026
Bouncy Castle has an LDAP injection Moderate
CVE-2026-0636 was published for org.bouncycastle:bcprov-jdk14 (Maven) Apr 17, 2026
Bouncy Castle Has Covert Timing Channel Vulnerability High
CVE-2026-5598 was published for org.bouncycastle:bcprov-jdk14 (Maven) Apr 17, 2026
marcelstoer Credited to marcelstoer
PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability High
CVE-2026-40458 was published for org.pac4j:pac4j-core (Maven) Apr 17, 2026
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping High
CVE-2026-41883 was published for org.omnifaces:omnifaces (Maven) Apr 16, 2026
clapbr Credited to clapbr
Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix Moderate
CVE-2026-41245 was published for com.github.junrar:junrar (Maven) Apr 16, 2026
subbudvk Credited to subbudvk
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService Moderate
CVE-2026-34164 was published for com.ritense.valtimo:inbox (Maven) Apr 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database