Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
2,818
Erlang
23
GitHub Actions
38
Go
2,203
Maven
2,576
npm
2,819
NuGet
487
pip
2,656
Pub
5
RubyGems
328
Rust
877
Swift
19
Unreviewed advisories
All unreviewed
5,000+

2,576 advisories

Loading
OpenRemote has Improper Access Control via updateUserRealmRoles function High
CVE-2026-41166 was published for io.openremote:openremote-manager (Maven) Apr 22, 2026
KKC73 Credited to KKC73
Spinnaker: RCE via expression parsing due to unrestricted context handling Critical
CVE-2026-32613 was published for io.spinnaker.echo:echo-pipelinetriggers (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths Critical
CVE-2026-32604 was published for io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo (Maven) Apr 21, 2026
LeftenantZero Credited to LeftenantZero and jasonmcintosh jasonmcintosh jasonmcintosh
Bouncy Castle Uncontrolled Resource Consumption vulnerability High
CVE-2026-3505 was published for org.bouncycastle:bcpg-jdk12 (Maven) Apr 17, 2026
Bouncy Castle has an LDAP injection Moderate
CVE-2026-0636 was published for org.bouncycastle:bcprov-jdk14 (Maven) Apr 17, 2026
PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability High
CVE-2026-40458 was published for org.pac4j:pac4j-core (Maven) Apr 17, 2026
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping High
GHSA-vp6r-9m58-5xv8 was published for org.omnifaces:omnifaces (Maven) Apr 16, 2026
clapbr Credited to clapbr
Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix Moderate
GHSA-hf5p-q87m-crj7 was published for com.github.junrar:junrar (Maven) Apr 16, 2026
subbudvk Credited to subbudvk
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService Moderate
CVE-2026-34164 was published for com.ritense.valtimo:inbox (Maven) Apr 16, 2026
SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information High
CVE-2026-30778 was published for org.apache.skywalking:server-core (Maven) Apr 16, 2026
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf Critical
CVE-2026-40478 was published for org.thymeleaf:thymeleaf (Maven) Apr 15, 2026
Improper restriction of the scope of accessible objects in Thymeleaf expressions Critical
CVE-2026-40477 was published for org.thymeleaf:thymeleaf (Maven) Apr 15, 2026
OpenRemote has XXE in Velbus Asset Import High
CVE-2026-40882 was published for io.openremote:openremote-manager (Maven) Apr 15, 2026
KKC73 Credited to KKC73
Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache Moderate
GHSA-xmj9-7625-f634 was published for dev.dsf:dsf-bpe-process-api-v2 (Maven) Apr 15, 2026
Data Sharing Framework is Missing Session Timeout for OIDC Sessions Moderate
CVE-2026-40939 was published for dev.dsf:dsf-bpe-server (Maven) Apr 15, 2026
Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules Moderate
CVE-2026-5588 was published for org.bouncycastle:bcpkix-debug-jdk14 (Maven) Apr 15, 2026
Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-2332 was published for org.eclipse.jetty:jetty-http (Maven) Apr 14, 2026
xclow3n Credited to xclow3n
XWiki's REST APIs can list all pages/spaces, leading to unavailability Moderate
CVE-2026-40104 was published for org.xwiki.platform:xwiki-platform-legacy-oldcore (Maven) Apr 14, 2026
XWiki has Reflected Cross-Site Scripting (XSS) in page history compare Moderate
CVE-2026-40105 was published for org.xwiki.platform:xwiki-platform-web-templates (Maven) Apr 14, 2026
mikecole-mg Credited to mikecole-mg
Expression Injection in OpenRemote Critical
CVE-2026-39842 was published for io.openremote:openremote-manager (Maven) Apr 14, 2026
qxyuan853 Credited to qxyuan853
Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page Moderate
CVE-2026-37980 was published for org.keycloak:keycloak-services (Maven) Apr 14, 2026
Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code Moderate
CVE-2026-33929 was published for org.apache.pdfbox:pdfbox-examples (Maven) Apr 14, 2026
AsyncHttpClient leaks authorization credentialsto untrusted domains on cross-origin redirects Moderate
CVE-2026-40490 was published for org.asynchttpclient:async-http-client (Maven) Apr 14, 2026
Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables High
CVE-2026-5795 was published for org.eclipse.jetty.ee10:jetty-ee10-jaspi (Maven) Apr 14, 2026
HRsGIT Credited to HRsGIT
Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix High
CVE-2026-35582 was published for gov.nsa.emissary:emissary (Maven) Apr 13, 2026
blueandhack Credited to blueandhack
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database