Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,857
Maven
5,000+
npm
4,488
NuGet
780
pip
4,243
Pub
12
RubyGems
975
Rust
1,095
Swift
49
Unreviewed advisories
All unreviewed
5,000+

825 advisories

Loading
com.enonic.xp:lib-auth vulnerable to Session Fixation Critical
CVE-2024-23679 was published for com.enonic.xp:lib-auth (Maven) Oct 12, 2022
Duplicate Advisory: Session fixation in Enonic XP Critical
GHSA-4hrp-m3f2-643j was published for com.enonic.xp:lib-auth (Maven) Jan 19, 2024 withdrawn
Hard-coded System User Credentials in Folio Data Export Spring module Critical
CVE-2024-23687 was published for org.folio:mod-data-export-spring (Maven) Jul 25, 2023
Duplicate Advisory: Hard-coded credentials in org.folio:mod-data-export-spring Critical
GHSA-9rhq-86fm-qxqc was published for org.folio:mod-data-export-spring (Maven) Jan 20, 2024 withdrawn
XDocReport affected by an XML External Entity (XXE) vulnerability Critical
CVE-2025-65482 was published for fr.opensagres.xdocreport:fr.opensagres.xdocreport.document (Maven) Jan 20, 2026
XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability Critical
CVE-2025-64087 was published for fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker (Maven) Jan 20, 2026
Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests Critical
CVE-2025-12543 was published for io.undertow:undertow-core (Maven) Jan 7, 2026
aldexis
Credited to aldexis
XWiki allows SQL injection in query endpoint of REST API with Oracle Critical
CVE-2024-56158 was published for org.xwiki.platform:xwiki-platform-oldcore (Maven) Jun 12, 2025
XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService Critical
CVE-2025-65091 was published for org.xwiki.contrib:macro-fullcalendar-pom (Maven) Jan 9, 2026
FASTJSON Includes Functionality from Untrusted Control Sphere Critical
CVE-2025-70974 was published for com.alibaba:fastjson (Maven) Jan 9, 2026
Improper Input Validation in net.sf.robocode:robocode.host allows for external service interaction Critical
CVE-2019-10648 was published for net.sf.robocode:robocode.host (Maven) Apr 2, 2019
Default CORS config allows any origin with credentials Critical
CVE-2021-39185 was published for org.http4s:http4s-server_2.10 (Maven) Sep 2, 2021
bplommer
Credited to bplommer
Robocode has an insecure temporary file creation vulnerability in the AutoExtract component Critical
CVE-2025-14307 was published for net.sf.robocode:robocode.battle (Maven) Dec 9, 2025
Robocode vulnerable to Directory Traversal in recursivelyDelete Method Critical
CVE-2025-14306 was published for net.sf.robocode:robocode.core (Maven) Dec 9, 2025
Apache Tika has XXE vulnerability Critical
CVE-2025-66516 was published for org.apache.tika:tika-core (Maven) Dec 4, 2025
Apache Druid’s Kerberos authenticator uses a weak fallback secret Critical
CVE-2025-59390 was published for org.apache.druid:druid (Maven) Nov 26, 2025
Apache Causeway vulnerable to deserialization in Java Critical
CVE-2025-64408 was published for org.apache.causeway.commons:causeway-commons (Maven) Nov 19, 2025
Eclipse Jersey has a Race Condition Critical
CVE-2025-12383 was published for org.glassfish.jersey.core:jersey-client (Maven) Nov 18, 2025
irene221b
Credited to irene221b
Apache IoTDB: Deserialization of untrusted Data Critical
CVE-2025-48459 was published for org.apache.iotdb:iotdb-confignode (Maven) Sep 24, 2025
cai0duque
Credited to cai0duque
Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF Critical
CVE-2025-54988 was published for org.apache.tika:tika-parser-pdf-module (Maven) Aug 20, 2025
vlsi
Credited to vlsi
Apache Zeppelin remote code execution by adding malicious JDBC connection string Critical
CVE-2024-31864 was published for org.apache.zeppelin:zeppelin-jdbc (Maven) Apr 9, 2024
oscerd
Credited to oscerd
Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization Critical
CVE-2017-20189 was published for org.clojure:clojure (Maven) Jan 22, 2024
Apache ActiveMQ is vulnerable to Remote Code Execution Critical
CVE-2023-46604 was published for org.apache.activemq:activemq-client (Maven) Oct 27, 2023
nmarcoccio sunSUNQ
Credited to nmarcoccio and sunSUNQ
Improper Restriction of XML External Entity Reference in Liquibase Critical
CVE-2022-0839 was published for org.liquibase:liquibase-core (Maven) Mar 5, 2022
Apache Tomcat - Authentication Bypass Critical
CVE-2024-52316 was published for org.apache.tomcat:tomcat-catalina (Maven) Nov 18, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database