GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
6,433 advisories
io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout
High
CVE-2025-1634
was published
for
io.quarkus:quarkus-resteasy
(Maven)
Feb 26, 2025
Spinnaker: RCE via expression parsing due to unrestricted context handling
Critical
CVE-2026-32613
was published
for
io.spinnaker.echo:echo-pipelinetriggers
(Maven)
Apr 21, 2026
Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths
Critical
CVE-2026-32604
was published
for
io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo
(Maven)
Apr 21, 2026
OpenRemote has Improper Access Control via updateUserRealmRoles function
High
CVE-2026-41166
was published
for
io.openremote:openremote-manager
(Maven)
Apr 22, 2026
OpenRemote has XXE in Velbus Asset Import
High
CVE-2026-40882
was published
for
io.openremote:openremote-manager
(Maven)
Apr 15, 2026
XWiki has Reflected Cross-Site Scripting (XSS) in page history compare
Moderate
CVE-2026-40105
was published
for
org.xwiki.platform:xwiki-platform-web-templates
(Maven)
Apr 14, 2026
Bouncy Castle Has Covert Timing Channel Vulnerability
High
CVE-2026-5598
was published
for
org.bouncycastle:bcprov-jdk14
(Maven)
Apr 17, 2026
Apache Struts Remote Java Code Execution
Critical
CVE-2012-0391
was published
for
org.apache.struts.xwork:xwork-core
(Maven)
May 4, 2022
XWiki Blog Application home page vulnerable to Stored XSS via Post Title
High
CVE-2025-66024
was published
for
org.xwiki.contrib.blog:application-blog-ui
(Maven)
Mar 4, 2026
thenify before 3.3.1 made use of unsafe calls to `eval`.
Critical
CVE-2020-7677
was published
for
org.webjars.npm:thenify
(Maven)
Jul 18, 2022
Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix
Moderate
CVE-2026-41245
was published
for
com.github.junrar:junrar
(Maven)
Apr 16, 2026
Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix
High
CVE-2026-35582
was published
for
gov.nsa.emissary:emissary
(Maven)
Apr 13, 2026
Expression Injection in OpenRemote
Critical
CVE-2026-39842
was published
for
io.openremote:openremote-manager
(Maven)
Apr 14, 2026
AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects
Moderate
CVE-2026-40490
was published
for
org.asynchttpclient:async-http-client
(Maven)
Apr 14, 2026
ProTip!
Advisories are also available from the
GraphQL API