Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,857
Maven
5,000+
npm
4,488
NuGet
780
pip
4,243
Pub
12
RubyGems
975
Rust
1,095
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,999 advisories

Loading
Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin High
CVE-2026-22022 was published for org.apache.solr:solr-core (Maven) Jan 21, 2026
Apache Solr: Insufficient file-access checking in standalone core-creation requests High
CVE-2026-22444 was published for org.apache.solr:solr-core (Maven) Jan 21, 2026
Apache Linkis: Arbitrary File Read via Double URL Encoding Bypass High
CVE-2025-29847 was published for org.apache.linkis:linkis (Maven) Jan 19, 2026
Jervis's AES CBC Mode is Without Authentication High
CVE-2025-68931 was published for net.gleske:jervis (Maven) Jan 13, 2026
Jervis Has Weak Random for Timing Attack Mitigation High
CVE-2025-68704 was published for net.gleske:jervis (Maven) Jan 13, 2026
Jervis's Salt for PBKDF2 derived from password High
CVE-2025-68703 was published for net.gleske:jervis (Maven) Jan 13, 2026
Jervis Has a SHA-256 Hex String Padding Bug High
CVE-2025-68702 was published for net.gleske:jervis (Maven) Jan 13, 2026
Jervis has Deterministic AES IV Derivation from Passphrase High
CVE-2025-68701 was published for net.gleske:jervis (Maven) Jan 13, 2026
Jervis Has a RSA PKCS#1 Padding Vulnerability High
CVE-2025-68698 was published for net.gleske:jervis (Maven) Jan 13, 2026
Apache Struts 2 is Missing XML Validation High
CVE-2025-68493 was published for com.opensymphony:xwork (Maven) Jan 11, 2026
OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE High
CVE-2026-22244 was published for org.open-metadata:platform (Maven) Jan 7, 2026
lnlinh31 manerow
TeddyCr pmbrull
Credited to lnlinh31, manerow, TeddyCr, and pmbrull
Spinnaker vulnerable to SSRF due to improper restrictions on http from user input High
CVE-2025-61916 was published for io.spinnaker.clouddriver:clouddriver-artifacts (Maven) Jan 5, 2026
jake-ciolek CodeWobbler
jasonmcintosh Jaimeoby
Credited to jake-ciolek, CodeWobbler, jasonmcintosh, and Jaimeoby
MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation High
CVE-2026-21452 was published for org.msgpack:msgpack-core (Maven) Jan 5, 2026
HyperPS
Credited to HyperPS
Apache Kyuubi Server vulnerable to Path Traversal High
CVE-2025-66518 was published for org.apache.kyuubi:kyuubi-server_2.12 (Maven) Jan 5, 2026
Apache NiFi GetAsanaObject Processor has Remote Code Execution via Unsafe Deserialization High
CVE-2025-66524 was published for org.apache.nifi:nifi-asana-processors (Maven) Dec 19, 2025
jose4j is vulnerable to DoS via compressed JWE content High
CVE-2024-29371 was published for org.bitbucket.b_c:jose4j (Maven) Dec 17, 2025
ShichengRao
Credited to ShichengRao
aircompressor Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer High
CVE-2025-67721 was published for io.airlift:aircompressor-v3 (Maven) Dec 12, 2025
kyakdan
Credited to kyakdan
Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations High
CVE-2025-3586 was published for com.liferay:com.liferay.object.service (Maven) Dec 12, 2025
Apache StreamPark: Use the user’s password as the secret key Vulnerability High
CVE-2025-53960 was published for org.apache.streampark:streampark (Maven) Dec 12, 2025
Apache StreamPark uses a Weak Encryption Algorithm High
CVE-2025-54981 was published for org.apache.streampark:streampark (Maven) Dec 12, 2025
Apache StreamPark has a hard-coded encryption key High
CVE-2025-54947 was published for org.apache.streampark:streampark (Maven) Dec 12, 2025
Apache HugeGraph-Server: RAFT and deserialization vulnerability High
CVE-2025-26866 was published for org.apache.hugegraph:hg-pd-core (Maven) Dec 12, 2025
Race condition in the Okta Java SDK High
CVE-2025-67505 was published for com.okta.sdk:okta-sdk-root (Maven) Dec 10, 2025
Jenkins Coverage Plugin has a stored cross-site scripting (XSS) vulnerability High
CVE-2025-67641 was published for io.jenkins.plugins:coverage (Maven) Dec 10, 2025
Jenkins has a Denial of service vulnerability in HTTP-based CLI High
CVE-2025-67635 was published for org.jenkins-ci.main:cli (Maven) Dec 10, 2025
caverav
Credited to caverav
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database