Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

3,161 advisories

Loading
Netty MQTT: Resource exhaustion in MqttDecoder Moderate
CVE-2026-44248 was published for io.netty:netty-codec-mqtt (Maven) May 7, 2026
chrisvest Credited to chrisvest
Netty Redis Codec Encoder has a CRLF Injection Issue Moderate
CVE-2026-42586 was published for io.netty:netty-codec-redis (Maven) May 7, 2026
Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding Moderate
CVE-2026-42585 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization Moderate
CVE-2026-42581 was published for io.netty:netty-codec-http (Maven) May 7, 2026
subbudvk Credited to subbudvk
Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing Moderate
CVE-2026-42580 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
OpenSearch Security plugin: DLS not applied on documents linked by has_child or has_parent relation Moderate
GHSA-x83w-23jp-g6pw was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
Spring Cloud AWS missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications Moderate
CVE-2026-44308 was published for io.awspring.cloud:spring-cloud-aws-sns (Maven) May 7, 2026
MatejNedic Credited to MatejNedic
axonflow-sdk-java: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-248h-974q-xrc2 was published for com.getaxonflow:axonflow-sdk (Maven) May 6, 2026
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter Moderate
CVE-2026-42140 was published for org.xwiki.contrib.plantuml:macro-plantuml-macro (Maven) May 5, 2026
lukasz-rybak Credited to lukasz-rybak
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection Moderate
CVE-2026-41417 was published for io.netty:netty-codec-http (Maven) May 5, 2026
oxqnd Credited to oxqnd, aest3ra, and mjkim610 aest3ra aest3ra
mjkim610 mjkim610
quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations Moderate
CVE-2026-42333 was published for io.quarkiverse.openapi.generator:quarkus-openapi-generator (Maven) May 4, 2026
Jvr2022 Credited to Jvr2022 and ricardozanini ricardozanini ricardozanini
Apache Neethi doesn't impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API Moderate
CVE-2026-42404 was published for org.apache.neethi:neethi (Maven) May 1, 2026
Shopizer is vulnerable to Cross-site Scripting Moderate
CVE-2026-36766 was published for com.shopizer:shopizer (Maven) Apr 30, 2026
Keycloak has a Forced Browsing issue Moderate
CVE-2026-7500 was published for org.keycloak:keycloak-services (Maven) Apr 30, 2026
Jenkins Microsoft Entra ID (previously Azure AD) Plugin has an open redirect vulnerability Moderate
CVE-2026-42525 was published for org.jenkins-ci.plugins:azure-ad (Maven) Apr 29, 2026
Jenkins Script Security Plugin: Missing permission checks allow enumeration of pending and approved classpaths Moderate
CVE-2026-42519 was published for org.jenkins-ci.plugins:script-security (Maven) Apr 29, 2026
Jenkins Matrix Authorization Strategy Plugin: Unsafe deserialization allows invocation of parameterless constructors Moderate
CVE-2026-42521 was published for org.jenkins-ci.plugins:matrix-auth (Maven) Apr 29, 2026
Jenkins GitHub Branch Source Plugin: Missing permissions check allows attackers to perform a connection test Moderate
CVE-2026-42522 was published for org.jenkins-ci.plugins:github-branch-source (Maven) Apr 29, 2026
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources Moderate
CVE-2026-22745 was published for org.springframework:spring-webflux (Maven) Apr 29, 2026
Spring gRPC SecurityContext leaks across requests upon authorization failure Moderate
CVE-2026-40968 was published for org.springframework.grpc:spring-grpc (Maven) Apr 28, 2026
Spring AI's VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration Moderate
CVE-2026-40966 was published for org.springframework.ai:spring-ai-advisors-vector-store (Maven) Apr 28, 2026
Spring AI Vulnerable to OOM by attacker-controlled PDF Moderate
CVE-2026-40980 was published for org.springframework.ai:spring-ai-pdf-document-reader (Maven) Apr 28, 2026
Spring AI's ONNX model cache defaults to world-writable predictable /tmp directory Moderate
CVE-2026-40979 was published for org.springframework.ai:spring-ai-transformers (Maven) Apr 28, 2026
Spring Boot's random value property source uses a weak PRNG unsuitable for secrets Moderate
CVE-2026-40975 was published for org.springframework.boot:spring-boot-cassandra (Maven) Apr 28, 2026
Spring Boot's PID file write follows symlinks at predictable default path Moderate
CVE-2026-40977 was published for org.springframework.boot:spring-boot-cassandra (Maven) Apr 28, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database