Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

6,264 advisories

Loading
carbon-apimgt does not properly restrict uploaded files Critical
CVE-2025-13590 was published for org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl (Maven) Feb 19, 2026
Apache Avro Java SDK is Vulnerable to Code Injection Moderate
CVE-2025-33042 was published for org.apache.avro:avro-compiler (Maven) Feb 13, 2026
levpachmanov
Credited to levpachmanov
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol Low
CVE-2026-2733 was published for org.keycloak:keycloak-services (Maven) Feb 19, 2026
Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection High
CVE-2025-41253 was published for org.springframework.cloud:spring-cloud-gateway-server (Maven) Oct 16, 2025
scottfrederick
Credited to scottfrederick
mingSoft MCMS does not properly restrict file uploads Low
CVE-2026-2666 was published for net.mingsoft:ms-mcms (Maven) Feb 18, 2026
Jenkins has a stored XSS vulnerability in node offline cause description High
CVE-2026-27099 was published for org.jenkins-ci.main:jenkins-core (Maven) Feb 18, 2026
Jenkins has a build information disclosure vulnerability through Run Parameter Moderate
CVE-2026-27100 was published for org.jenkins-ci.main:jenkins-core (Maven) Feb 18, 2026
Apache Tomcat - Client certificate verification bypass Moderate
CVE-2025-66614 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Feb 17, 2026
Apache Tomcat - Security constraint bypass with HTTP/0.9 Low
CVE-2026-24733 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Feb 17, 2026
Leaky JWTs in OpenMetadata exposing highly-privileged bot users High
CVE-2026-26010 was published for org.open-metadata:openmetadata-sdk (Maven) Feb 11, 2026
amfor
Credited to amfor
Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates High
CVE-2026-25903 was published for org.apache.nifi:nifi-web-api (Maven) Feb 17, 2026
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization Moderate
CVE-2025-13467 was published for org.keycloak:keycloak-ldap-federation (Maven) Dec 19, 2025
eminaktas
Credited to eminaktas
Keycloak does not invalidate offline sessions when the offline_access scope is removed Moderate
CVE-2025-12110 was published for org.keycloak:keycloak-services (Maven) Oct 23, 2025
eminaktas
Credited to eminaktas
Keycloak does not invalidate sessions when "Remember Me" is disabled Moderate
CVE-2025-11429 was published for org.keycloak:keycloak-services (Maven) Oct 23, 2025
eminaktas
Credited to eminaktas
Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService Moderate
CVE-2025-14778 was published for org.keycloak:keycloak-services (Maven) Feb 9, 2026
eminaktas
Credited to eminaktas
Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes Low
CVE-2025-13881 was published for org.keycloak:keycloak-services (Maven) Feb 2, 2026
eminaktas
Credited to eminaktas
Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens High
CVE-2026-1486 was published for org.keycloak:keycloak-services (Maven) Feb 9, 2026
eminaktas
Credited to eminaktas
Wildfly Elytron integration susceptible to brute force attacks via CLI High
CVE-2025-23368 was published for org.wildfly.core:wildfly-elytron-integration (Maven) Feb 13, 2026
Duplicate Advisory: Wildfly Elytron integration susceptible to brute force attacks via CLI High
GHSA-3jxr-23ph-c89g was published for org.wildfly.core:wildfly-elytron-integration (Maven) Mar 4, 2025 withdrawn
Keycloak affected by improper invitation token validation High
CVE-2026-1529 was published for org.keycloak:keycloak-services (Maven) Feb 9, 2026
eminaktas
Credited to eminaktas
Keycloak services allows the issuance of access and refresh tokens for disabled users Moderate
CVE-2025-14559 was published for org.keycloak:keycloak-services (Maven) Jan 21, 2026
julianladisch eminaktas
Credited to julianladisch and eminaktas
XWiki vulnerable to click-jacking through CSS injection in comments Moderate
CVE-2026-26000 was published for org.xwiki.platform:xwiki-platform-web (Maven) Feb 12, 2026
keechy1231
Credited to keechy1231
XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability Critical
CVE-2025-64087 was published for fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker (Maven) Jan 20, 2026
kevinleturc
Credited to kevinleturc
Apache Druid Vulnerable to Authentication Bypass Critical
CVE-2026-23906 was published for org.apache.druid.extensions:druid-basic-security (Maven) Feb 10, 2026
Apache Shiro has an Authentication Bypass Moderate
CVE-2026-23903 was published for org.apache.shiro:shiro-spring (Maven) Feb 9, 2026
saivarun3407
Credited to saivarun3407
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database