Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

117 advisories

Loading
Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns Critical
CVE-2026-41901 was published for org.thymeleaf:thymeleaf (Maven) May 4, 2026
cristianstaicu Credited to cristianstaicu
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping High
CVE-2026-41883 was published for org.omnifaces:omnifaces (Maven) Apr 16, 2026
clapbr Credited to clapbr
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf Critical
CVE-2026-40478 was published for org.thymeleaf:thymeleaf (Maven) Apr 15, 2026
Improper restriction of the scope of accessible objects in Thymeleaf expressions Critical
CVE-2026-40477 was published for org.thymeleaf:thymeleaf (Maven) Apr 15, 2026
Expression Injection in OpenRemote Critical
CVE-2026-39842 was published for io.openremote:openremote-manager (Maven) Apr 14, 2026
qxyuan853 Credited to qxyuan853
Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key Critical
CVE-2026-22738 was published for org.springframework.ai:spring-ai-vector-store (Maven) Mar 27, 2026
JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter High
CVE-2026-22729 was published for org.springframework.ai:spring-ai-vector-store (Maven) Mar 18, 2026
Apache IoTDB has an Improper Input Validation vulnerability Critical
CVE-2026-24713 was published for org.apache.iotdb:iotdb-core (Maven) Mar 9, 2026
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression... High Unreviewed
CVE-2025-11175 was published Jan 30, 2026
Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection High
CVE-2025-41253 was published for org.springframework.cloud:spring-cloud-gateway-server (Maven) Oct 16, 2025
scottfrederick Credited to scottfrederick
Hutool allows remote code execution (RCE) via the QLExpressEngine class High
CVE-2025-56769 was published for cn.hutool:hutool-extra (Maven) Sep 26, 2025
An improper neutralization of inputs used in expression language allows remote code execution... Critical Unreviewed
CVE-2025-3322 was published Jun 6, 2025
IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an... Critical Unreviewed
CVE-2024-51466 was published Dec 20, 2024
QOS.CH logback-core Expression Language Injection vulnerability Moderate
CVE-2024-12798 was published for ch.qos.logback:logback-core (Maven) Dec 19, 2024
HTHou Credited to HTHou, perexis, GoetzGoerisch, and pjfanning perexis perexis
GoetzGoerisch GoetzGoerisch pjfanning pjfanning
A reflected cross-site scripting (XSS) vulnerability exists in PaperCut NG/MF. This issue can be... Moderate Unreviewed
CVE-2024-9672 was published Dec 10, 2024
A vulnerability was found in DataGear up to 5.0.0. It has been declared as critical. Affected by... Moderate Unreviewed
CVE-2024-7552 was published Aug 6, 2024
Expression Language Injection vulnerability in Hitachi Tuning Manager on Windows, Linux, Solaris... High Unreviewed
CVE-2024-5828 was published Aug 6, 2024
Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability.... Critical Unreviewed
CVE-2023-51593 was published May 3, 2024
Expression Language Injection vulnerability in Hitachi Global Link Manager on Windows allows Code... High Unreviewed
CVE-2024-0715 was published Feb 20, 2024
Archive, check and export commands in Chef InSpec prior to 4.56.58 and 5.22.29 allow local... High Unreviewed
CVE-2023-42658 was published Oct 31, 2023
Expression Language Injection vulnerability in Hitachi Replication Manager on Windows, Linux,... Critical Unreviewed
CVE-2022-4146 was published Jul 18, 2023
Apache Ambari Expression Language Injection vulnerability High
CVE-2022-45855 was published for org.apache.ambari:ambari (Maven) Jul 12, 2023
Apache Ambari Expression Language Injection vulnerability High
CVE-2022-42009 was published for org.apache.ambari:ambari (Maven) Jul 12, 2023
Apache Jena Expression Language Injection vulnerability High
CVE-2023-32200 was published for org.apache.jena:jena (Maven) Jul 12, 2023
Arbitrary javascript injection in Apache Jena Moderate
CVE-2023-22665 was published for org.apache.jena:jena (Maven) Apr 25, 2023
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database