Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

6,345 advisories

Loading
Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON High
CVE-2026-34214 was published for io.trino:trino-iceberg (Maven) Mar 29, 2026
findinpath Credited to findinpath, ebyhr, chenjian2664, losipiuk, and findepi ebyhr ebyhr
chenjian2664 chenjian2664 losipiuk losipiuk findepi findepi
AWS SDK for Java 2.0: Improper Handling of Special Characters in CloudFront Signing Utilities High
GHSA-443w-3rq3-5m5h was published for software.amazon.awssdk:cloudfront (Maven) Mar 27, 2026
Spring AI: Insufficient Validation causes SSRF when processing multimodal messages with user-supplied URLs High
CVE-2026-22742 was published for org.springframework.ai:spring-ai-bedrock-converse (Maven) Mar 27, 2026
Spring AI has a Cypher Injection vulnerability in Neo4jVectorFilterExpressionConverter High
CVE-2026-22743 was published for org.springframework.ai:spring-ai-neo4j-store (Maven) Mar 27, 2026
Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters High
CVE-2026-22744 was published for org.springframework.ai:spring-ai-redis-store (Maven) Mar 27, 2026
Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key Critical
CVE-2026-22738 was published for org.springframework.ai:spring-ai-vector-store (Maven) Mar 27, 2026
Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure Moderate
CVE-2026-3190 was published for org.keycloak:keycloak-model-jpa (Maven) Mar 26, 2026
Keycloak: manage-clients permission escalates to full realm admin access Moderate
CVE-2026-3121 was published for org.keycloak:keycloak-services (Maven) Mar 26, 2026
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass High
CVE-2026-33871 was published for io.netty:netty-codec-http2 (Maven) Mar 26, 2026
sprabhav7 Credited to sprabhav7
Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-33870 was published for io.netty:netty-codec-http (Maven) Mar 26, 2026
xclow3n Credited to xclow3n
splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution Critical
GHSA-h8w2-rv57-vc6f was published for com.splunk:splunk-otel-javaagent (Maven) Mar 26, 2026
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution Critical
CVE-2026-33728 was published for com.datadoghq:dd-java-agent (Maven) Mar 26, 2026
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation Low
CVE-2026-4874 was published for org.keycloak:keycloak-services (Maven) Mar 26, 2026
krapovneru Credited to krapovneru
pf4j is vulnerable to Path Traversal or Zip Slip attack through improper handling of zip entry names High
CVE-2025-70952 was published for org.pf4j:pf4j (Maven) Mar 25, 2026
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution Critical
CVE-2026-33701 was published for io.opentelemetry.javaagent:opentelemetry-javaagent (Maven) Mar 25, 2026
Plexus-Utils has a Directory Traversal vulnerability in its extractFile method High
CVE-2025-67030 was published for org.codehaus.plexus:plexus-utils (Maven) Mar 25, 2026
sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows Moderate
CVE-2026-32948 was published for org.scala-sbt:sbt (Maven) Mar 24, 2026
anatoliykmetyuk Credited to anatoliykmetyuk and eed3si9n eed3si9n eed3si9n
Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol Low
CVE-2026-32642 was published for org.apache.activemq:artemis-openwire-protocol (Maven) Mar 24, 2026
Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests Moderate
CVE-2026-3260 was published for io.undertow:undertow-core (Maven) Mar 24, 2026
Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access High
CVE-2026-22739 was published for org.springframework.cloud:spring-cloud-config-server (Maven) Mar 24, 2026
Keycloak's identity-first login flow exposes user information Low
CVE-2026-4633 was published for org.keycloak:keycloak-services (Maven) Mar 23, 2026
Keycloak has Improper Access Control allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false Moderate
CVE-2026-4628 was published for org.keycloak:keycloak-services (Maven) Mar 23, 2026
Spring MVC and WebFlux has Server Sent Event stream corruption Low
CVE-2026-22735 was published for org.springframework:spring-webflux (Maven) Mar 20, 2026
Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints High
CVE-2026-22733 was published for org.springframework.boot:spring-boot-starter-actuator (Maven) Mar 20, 2026
Spring Boot has an Authentication Bypass under Actuator Health groups paths High
CVE-2026-22731 was published for org.springframework.boot:spring-boot-starter-actuator (Maven) Mar 20, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database