Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,123 advisories

Loading
XWiki has Reflected Cross-Site Scripting (XSS) in page history compare Moderate
CVE-2026-40105 was published for org.xwiki.platform:xwiki-platform-web-templates (Maven) Apr 14, 2026
mikecole-mg Credited to mikecole-mg
Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured Moderate
CVE-2026-22751 was published for org.springframework.security:spring-security-core (Maven) Apr 21, 2026
Data Sharing Framework is Missing Session Timeout for OIDC Sessions Moderate
CVE-2026-40939 was published for dev.dsf:dsf-bpe-server (Maven) Apr 15, 2026
Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix Moderate
CVE-2026-41245 was published for com.github.junrar:junrar (Maven) Apr 16, 2026
subbudvk Credited to subbudvk
Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache Moderate
CVE-2026-40942 was published for dev.dsf:dsf-bpe-process-api-v2 (Maven) Apr 15, 2026
Apache Kafka exposes sensitive information in its DEBUG logs Moderate
CVE-2026-33558 was published for org.apache.kafka:kafka-clients (Maven) Apr 20, 2026
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService Moderate
CVE-2026-34164 was published for com.ritense.valtimo:inbox (Maven) Apr 16, 2026
XWiki's REST APIs can list all pages/spaces, leading to unavailability Moderate
CVE-2026-40104 was published for org.xwiki.platform:xwiki-platform-legacy-oldcore (Maven) Apr 14, 2026
AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects Moderate
CVE-2026-40490 was published for org.asynchttpclient:async-http-client (Maven) Apr 14, 2026
hyperxpro Credited to hyperxpro
Bouncy Castle has an LDAP injection Moderate
CVE-2026-0636 was published for org.bouncycastle:bcprov-jdk14 (Maven) Apr 17, 2026
Improper Access Control in Apache WSS4J Moderate
CVE-2015-0227 was published for org.apache.ws.security:wss4j (Maven) May 14, 2022
kmoens Credited to kmoens
Bouncy Castle Java Cryptography API vulnerable to DNS poisoning Moderate
CVE-2024-34447 was published for org.bouncycastle:bcprov-jdk12 (Maven) May 3, 2024
samueloph Credited to samueloph, binary-1024, hmolsen, and kmoens binary-1024 binary-1024
hmolsen hmolsen kmoens kmoens
Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules Moderate
CVE-2026-5588 was published for org.bouncycastle:bcpkix-debug-jdk14 (Maven) Apr 15, 2026
Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J Moderate
CVE-2011-2487 was published for org.apache.ws.security:wss4j (Maven) Apr 22, 2022
kmoens Credited to kmoens
Jakarta Mail vulnerable to SMTP Injection Moderate
CVE-2025-7962 was published for com.sun.mail:jakarta.mail (Maven) Jul 21, 2025
kmoens Credited to kmoens
JSON-lib mishandles an unbalanced comment string Moderate
CVE-2024-47855 was published for net.sf.json-lib:json-lib (Maven) Oct 4, 2024
kmoens Credited to kmoens
Improper Restriction of XML External Entity Reference in Castor Moderate
CVE-2014-3004 was published for castor:castor (Maven) May 13, 2022
AndrzejBiernacki2010 Credited to AndrzejBiernacki2010 and kmoens kmoens kmoens
Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page Moderate
CVE-2026-37980 was published for org.keycloak:keycloak-services (Maven) Apr 14, 2026
Apache Tomcat has an Improper Input Validation vulnerability Moderate
CVE-2026-32990 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94
Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code Moderate
CVE-2026-33929 was published for org.apache.pdfbox:pdfbox-examples (Maven) Apr 14, 2026
Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata Moderate
CVE-2026-35565 was published for org.apache.storm:storm-webapp (Maven) Apr 13, 2026
Apache SkyWalking has a stored XSS vulnerability Moderate
CVE-2025-54057 was published for org.apache.skywalking:apm-webapp (Maven) Nov 27, 2025
oscerd Credited to oscerd
Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility Moderate
CVE-2026-34478 was published for org.apache.logging.log4j:log4j-core (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Apache Log4j Core: `verifyHostName` attribute silently ignored in TLS configuration Moderate
CVE-2026-34477 was published for org.apache.logging.log4j:log4j-core (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
Apache Log4j 1 to Log4j 2 bridge: silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters Moderate
CVE-2026-34479 was published for org.apache.logging.log4j:log4j-1.2-api (Maven) Apr 10, 2026
ppkarwasz Credited to ppkarwasz
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database