Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,721
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,943
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

6,527 advisories

Loading
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect High
CVE-2026-44503 was published for Microsoft.Kiota.Abstractions (Go) May 7, 2026
MIchaelMainer Credited to MIchaelMainer
Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS High
CVE-2026-42587 was published for io.netty:netty-codec-http (Maven) May 7, 2026
offset Credited to offset
Netty Redis Codec Encoder has a CRLF Injection Issue Moderate
CVE-2026-42586 was published for io.netty:netty-codec-redis (Maven) May 7, 2026
Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding Moderate
CVE-2026-42585 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Netty has HttpClientCodec response desynchronization High
CVE-2026-42584 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Netty Lz4FrameDecoder is vulnerable to resource exhaustion High
CVE-2026-42583 was published for io.netty:netty-codec (Maven) May 7, 2026
violetagg Credited to violetagg
Netty HTTP/3 QPACK literal unbounded allocation High
CVE-2026-42582 was published for io.netty:netty-codec-http3 (Maven) May 7, 2026
violetagg Credited to violetagg
Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization Moderate
CVE-2026-42581 was published for io.netty:netty-codec-http (Maven) May 7, 2026
subbudvk Credited to subbudvk
Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing Moderate
CVE-2026-42580 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Netty has a DNS Codec Input Validation Bypass (Encoder + Decoder) High
CVE-2026-42579 was published for io.netty:netty-codec-dns (Maven) May 7, 2026
Netty has HTTP Header Injection via HttpProxyHandler Disabled Validation (Incomplete Fix CVE-2025-67735) Low
CVE-2026-42578 was published for io.netty:netty-handler-proxy (Maven) May 7, 2026
August829 Credited to August829
OpenSearch has ineffective TLS certificate hostname verification Low
GHSA-x5hg-x4gv-j98m was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
OpenSearch Security plugin: DLS not applied on documents linked by has_child or has_parent relation Moderate
GHSA-x83w-23jp-g6pw was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
OpenSearch vulnerable to improper authorization for Rollover Requests Low
GHSA-22vx-2x23-98w6 was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
OpenSearch has a bypass of REST Layer Authorization Using Malformed Paths Low
GHSA-83x9-vc3c-hghc was published for org.opensearch.plugin:opensearch-security (Maven) May 7, 2026
Spring Cloud AWS missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications Moderate
CVE-2026-44308 was published for io.awspring.cloud:spring-cloud-aws-sns (Maven) May 7, 2026
MatejNedic Credited to MatejNedic
axonflow-sdk-java: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification Moderate
GHSA-248h-974q-xrc2 was published for com.getaxonflow:axonflow-sdk (Maven) May 6, 2026
Netty epoll transport denial of service via RST on half-closed TCP connection High
CVE-2026-42577 was published for io.netty:netty-transport-native-epoll (Maven) May 6, 2026
Stormpx Credited to Stormpx
Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users Critical
CVE-2026-42555 was published for com.ritense.valtimo:case (Maven) May 6, 2026
Micronaut has unbounded `formattersCache` in `TimeConverterRegistrar` that Allows Memory Exhaustion via `Accept-Language` Header High
CVE-2026-44241 was published for io.micronaut:micronaut-context (Maven) May 6, 2026
offset Credited to offset
Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header Low
CVE-2026-44242 was published for io.micronaut:micronaut-inject (Maven) May 6, 2026
offset Credited to offset
ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases Critical
CVE-2026-44221 was published for com.arcadedb:arcadedb-server (Maven) May 5, 2026
jdbi3-freemarker Vulnerable to Improper Neutralization of Special Elements Used in FreeMarker Template Engine High
GHSA-mggx-p7jf-jgw4 was published for org.jdbi:jdbi3-freemarker (Maven) May 5, 2026
wodzen Credited to wodzen
pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS High
CVE-2026-42198 was published for org.postgresql:postgresql (Maven) May 5, 2026
sehrope Credited to sehrope
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser Low
CVE-2026-42188 was published for org.geysermc.geyser:core (Maven) May 5, 2026
mugi-sec Credited to mugi-sec and onebeastchris onebeastchris onebeastchris
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database