Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,123 advisories

Loading
Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured Moderate
CVE-2026-22751 was published for org.springframework.security:spring-security-core (Maven) Apr 21, 2026
Apache Kafka exposes sensitive information in its DEBUG logs Moderate
CVE-2026-33558 was published for org.apache.kafka:kafka-clients (Maven) Apr 20, 2026
Bouncy Castle has an LDAP injection Moderate
CVE-2026-0636 was published for org.bouncycastle:bcprov-jdk14 (Maven) Apr 17, 2026
Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix Moderate
CVE-2026-41245 was published for com.github.junrar:junrar (Maven) Apr 16, 2026
subbudvk Credited to subbudvk
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService Moderate
CVE-2026-34164 was published for com.ritense.valtimo:inbox (Maven) Apr 16, 2026
Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache Moderate
CVE-2026-40942 was published for dev.dsf:dsf-bpe-process-api-v2 (Maven) Apr 15, 2026
Data Sharing Framework is Missing Session Timeout for OIDC Sessions Moderate
CVE-2026-40939 was published for dev.dsf:dsf-bpe-server (Maven) Apr 15, 2026
Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules Moderate
CVE-2026-5588 was published for org.bouncycastle:bcpkix-debug-jdk14 (Maven) Apr 15, 2026
XWiki's REST APIs can list all pages/spaces, leading to unavailability Moderate
CVE-2026-40104 was published for org.xwiki.platform:xwiki-platform-legacy-oldcore (Maven) Apr 14, 2026
XWiki has Reflected Cross-Site Scripting (XSS) in page history compare Moderate
CVE-2026-40105 was published for org.xwiki.platform:xwiki-platform-web-templates (Maven) Apr 14, 2026
mikecole-mg Credited to mikecole-mg
Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page Moderate
CVE-2026-37980 was published for org.keycloak:keycloak-services (Maven) Apr 14, 2026
Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code Moderate
CVE-2026-33929 was published for org.apache.pdfbox:pdfbox-examples (Maven) Apr 14, 2026
AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects Moderate
CVE-2026-40490 was published for org.asynchttpclient:async-http-client (Maven) Apr 14, 2026
hyperxpro Credited to hyperxpro
Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata Moderate
CVE-2026-35565 was published for org.apache.storm:storm-webapp (Maven) Apr 13, 2026
Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout Moderate
CVE-2026-34481 was published for org.apache.logging.log4j:log4j-layout-template-json (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Apache Log4j 1 to Log4j 2 bridge: silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters Moderate
CVE-2026-34479 was published for org.apache.logging.log4j:log4j-1.2-api (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration Moderate
CVE-2026-34477 was published for org.apache.logging.log4j:log4j-core (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters Moderate
CVE-2026-34480 was published for org.apache.logging.log4j:log4j-core (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility Moderate
CVE-2026-34478 was published for org.apache.logging.log4j:log4j-core (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Apache Tomcat: CLIENT_CERT authentication does not fail as expected Moderate
CVE-2026-34500 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
Apache Tomcat has an Open Redirect vulnerability Moderate
CVE-2026-25854 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
Apache Tomcat has an Improper Input Validation vulnerability Moderate
CVE-2026-32990 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94
Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT vulnerable to Integer Overflow or Wraparound Moderate
CVE-2026-40046 was published for org.apache.activemq:activemq-all (Maven) Apr 9, 2026
Apache OpenMeetings has an Improper Handling of Insufficient Privileges vulnerability Moderate
CVE-2026-33005 was published for org.apache.openmeetings:openmeetings-parent (Maven) Apr 9, 2026
quarkus-openapi-generator extension has Zip Slip Path Traversal in ApicurioCodegenWrapper class Moderate
CVE-2026-40180 was published for io.quarkiverse.openapi.generator:quarkus-openapi-generator (Maven) Apr 8, 2026
oscerd Credited to oscerd and ricardozanini ricardozanini ricardozanini
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database