Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

6,532 advisories

Loading
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser Low
CVE-2026-42188 was published for org.geysermc.geyser:core (Maven) May 5, 2026
mugi-sec Credited to mugi-sec and onebeastchris onebeastchris onebeastchris
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter Moderate
CVE-2026-42140 was published for org.xwiki.contrib.plantuml:macro-plantuml-macro (Maven) May 5, 2026
lukasz-rybak Credited to lukasz-rybak
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection Moderate
CVE-2026-41417 was published for io.netty:netty-codec-http (Maven) May 5, 2026
oxqnd Credited to oxqnd, aest3ra, and mjkim610 aest3ra aest3ra
mjkim610 mjkim610
quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations Moderate
CVE-2026-42333 was published for io.quarkiverse.openapi.generator:quarkus-openapi-generator (Maven) May 4, 2026
Jvr2022 Credited to Jvr2022 and ricardozanini ricardozanini ricardozanini
Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns Critical
CVE-2026-41901 was published for org.thymeleaf:thymeleaf (Maven) May 4, 2026
cristianstaicu Credited to cristianstaicu
OpenMRS has Stored Velocity SSTI to RCE via ConceptReferenceRange Critical
CVE-2026-41258 was published for org.openmrs.api:openmrs-api (Maven) May 4, 2026
snomi Credited to snomi and Volcore Volcore Volcore
OpenMRS Module Upload Vulnerable to Path Traversal (Zip Slip) High
CVE-2026-40076 was published for org.openmrs.web:openmrs-web (Maven) May 4, 2026
Arron-bit Credited to Arron-bit
Quarkus has Authentication/Authorization bypasses High
CVE-2026-39852 was published for io.quarkus:quarkus-vertx-http (Maven) May 4, 2026
p- Credited to p-
OpenMRS ModuleResourcesServlet has Path Traversal that Leads to Arbitrary File Read High
CVE-2026-40075 was published for org.openmrs.web:openmrs-web (Maven) May 4, 2026
Arron-bit Credited to Arron-bit
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41409 Incomplete Fix) Critical
CVE-2026-42778 was published for org.apache.mina:mina-core (Maven) May 1, 2026
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix) Critical
CVE-2026-42779 was published for org.apache.mina:mina-core (Maven) May 1, 2026
Apache Neethi doesn't impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API Moderate
CVE-2026-42404 was published for org.apache.neethi:neethi (Maven) May 1, 2026
Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization High
CVE-2026-42402 was published for org.apache.neethi:neethi (Maven) May 1, 2026
Apache Neethi does not properly detect circular references in policy definitions. High
CVE-2026-42403 was published for org.apache.neethi:neethi (Maven) May 1, 2026
Shopizer is vulnerable to Cross-site Scripting Moderate
CVE-2026-36766 was published for com.shopizer:shopizer (Maven) Apr 30, 2026
Shopizer has a path traversal issue Critical
CVE-2026-36767 was published for com.shopizer:shopizer (Maven) Apr 30, 2026
Keycloak has a Forced Browsing issue Moderate
CVE-2026-7500 was published for org.keycloak:keycloak-services (Maven) Apr 30, 2026
appsmith has SQL Injection in FilterDataService via Unsafe DROP TABLE Execution High
GHSA-h8cj-hpmg-636v was published for com.appsmith:interfaces (Maven) Apr 29, 2026
liyander Credited to liyander
fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE Critical
CVE-2026-41586 was published for org.hyperledger.fabric-sdk-java:fabric-sdk-java (Maven) Apr 29, 2026
brodmart Credited to brodmart
Jenkins Microsoft Entra ID (previously Azure AD) Plugin has an open redirect vulnerability Moderate
CVE-2026-42525 was published for org.jenkins-ci.plugins:azure-ad (Maven) Apr 29, 2026
Jenkins HTML Publisher Plugin has a XSS vulnerability in the legacy wrapper file High
CVE-2026-42524 was published for org.jenkins-ci.plugins:htmlpublisher (Maven) Apr 29, 2026
Jenkins GitHub Plugin has an XSS vulnerability Critical
CVE-2026-42523 was published for org.jenkins-ci.plugins:git (Maven) Apr 29, 2026
Jenkins Script Security Plugin: Missing permission checks allow enumeration of pending and approved classpaths Moderate
CVE-2026-42519 was published for org.jenkins-ci.plugins:script-security (Maven) Apr 29, 2026
Jenkins Credentials Binding Plugin has a path traversal vulnerability High
CVE-2026-42520 was published for org.jenkins-ci.plugins:credentials-binding (Maven) Apr 29, 2026
Jenkins Matrix Authorization Strategy Plugin: Unsafe deserialization allows invocation of parameterless constructors Moderate
CVE-2026-42521 was published for org.jenkins-ci.plugins:matrix-auth (Maven) Apr 29, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database