Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

2,084 advisories

Loading
Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization High
CVE-2026-33524 was published for io.github.ndsev:zserio-runtime (Maven) Apr 24, 2026
Ryujiyasu Credited to Ryujiyasu
Apktool: Path Traversal to Arbitrary File Write High
CVE-2026-39973 was published for org.apktool:apktool-lib (Maven) Apr 23, 2026
caveeroo Credited to caveeroo and IgorEisberg IgorEisberg IgorEisberg
OpenRemote has Improper Access Control via updateUserRealmRoles function High
CVE-2026-41166 was published for io.openremote:openremote-manager (Maven) Apr 22, 2026
KKC73 Credited to KKC73
Bouncy Castle Uncontrolled Resource Consumption vulnerability High
CVE-2026-3505 was published for org.bouncycastle:bcpg-jdk12 (Maven) Apr 17, 2026
Bouncy Castle Has Covert Timing Channel Vulnerability High
CVE-2026-5598 was published for org.bouncycastle:bcprov-jdk14 (Maven) Apr 17, 2026
marcelstoer Credited to marcelstoer
PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability High
CVE-2026-40458 was published for org.pac4j:pac4j-core (Maven) Apr 17, 2026
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping High
GHSA-vp6r-9m58-5xv8 was published for org.omnifaces:omnifaces (Maven) Apr 16, 2026
clapbr Credited to clapbr
SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information High
CVE-2026-30778 was published for org.apache.skywalking:server-core (Maven) Apr 16, 2026
OpenRemote has XXE in Velbus Asset Import High
CVE-2026-40882 was published for io.openremote:openremote-manager (Maven) Apr 15, 2026
KKC73 Credited to KKC73
Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-2332 was published for org.eclipse.jetty:jetty-http (Maven) Apr 14, 2026
xclow3n Credited to xclow3n
Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables High
CVE-2026-5795 was published for org.eclipse.jetty.ee10:jetty-ee10-jaspi (Maven) Apr 14, 2026
HRsGIT Credited to HRsGIT
Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix High
CVE-2026-35582 was published for gov.nsa.emissary:emissary (Maven) Apr 13, 2026
blueandhack Credited to blueandhack
Apache Storm: Deserialization of Untrusted Data vulnerability High
CVE-2026-35337 was published for org.apache.storm:storm-client (Maven) Apr 13, 2026
Apache ActiveMQ: Denial of Service via Out of Memory vulnerability High
CVE-2026-39304 was published for org.apache.activemq:activemq-all (Maven) Apr 10, 2026
Spring Cloud Gateway's SSL bundle configuration silently bypassed High
CVE-2026-22750 was published for org.springframework.cloud:spring-cloud-gateway (Maven) Apr 10, 2026
scottfrederick Credited to scottfrederick
Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File High
CVE-2026-34487 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve High
CVE-2026-34483 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
Apache Tomcat Missing Encryption of Sensitive Data vulnerability High
CVE-2026-34486 was published for org.apache.tomcat:tomcat (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94
Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor High
CVE-2026-29146 was published for org.apache.tomcat:tomcat (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94
Apache Tomcat has an HTTP Request/Response Smuggling vulnerability High
CVE-2026-24880 was published for org.apache.tomcat:tomcat (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94
Apache Tomcat: Configured cipher preference order not preserved High
CVE-2026-29129 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
Apache OpenMeetings Uses GET Request Method With Sensitive Query Strings High
CVE-2026-34020 was published for org.apache.openmeetings:openmeetings-parent (Maven) Apr 9, 2026
Apache OpenMeetings Uses Hard-coded Cryptographic Key High
CVE-2026-33266 was published for org.apache.openmeetings:openmeetings-parent (Maven) Apr 9, 2026
Apache DolphinScheduler vulnerable to sensitive information disclosure High
CVE-2025-62188 was published for org.apache.dolphinscheduler:dolphinscheduler (Maven) Apr 9, 2026
Duplicate Advisory: Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables High
GHSA-gc59-r5jq-98qw was published for org.eclipse.jetty.ee10:jetty-ee10 (Maven) Apr 8, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database