Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,802 advisories

Loading
dd-trace-java: Improper parsing of W3C baggage headers may lead to DoS High
CVE-2026-50270 was published for com.datadoghq:dd-java-agent (Maven) Jul 15, 2026
Apache Fory Java SDK Has Deserialization of Untrusted Data in the Java replace-resolve path Critical
CVE-2026-50076 was published for org.apache.fory:fory-core (Maven) Jun 4, 2026
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls High
CVE-2025-14874 was published for nodemailer (Maven) Dec 1, 2025
uko3211 Credited to uko3211 and albertabiev1 albertabiev1 albertabiev1
Logback vulnerable to Object Injection through HardenedObjectInputStream modules Low
CVE-2026-10532 was published for ch.qos.logback:logback-core (Maven) Jun 1, 2026
lgf10 Credited to lgf10
Armeria: External Control of File Name or Path in xDS SDS DataSource Moderate
CVE-2026-11752 was published for com.linecorp.armeria:armeria-xds (Maven) Jun 18, 2026
zzoru Credited to zzoru
GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page High
CVE-2025-52465 was published for org.geoserver.web:gs-web-app (Maven) Jun 12, 2026
YacineF Credited to YacineF, sikeoka, partywavesec, and jodygarnett sikeoka sikeoka
partywavesec partywavesec jodygarnett jodygarnett
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection High
CVE-2025-27511 was published for org.geoserver.extension:gs-db2 (Maven) Jun 11, 2026
H4cking2theGate Credited to H4cking2theGate, jodygarnett, and aaime jodygarnett jodygarnett
aaime aaime
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation Low
CVE-2026-4874 was published for org.keycloak:keycloak-services (Maven) Mar 26, 2026
krapovneru Credited to krapovneru, dnegreira, and ahus1 dnegreira dnegreira
ahus1 ahus1
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim Low
CVE-2026-37977 was published for org.keycloak:keycloak-services (Maven) Apr 6, 2026
ahus1 Credited to ahus1
Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder High
CVE-2026-44891 was published for io.netty:netty-codec-stomp (Maven) Jul 14, 2026
violetagg Credited to violetagg
Apollo ConfigService access key authentication bypass via raw config file appId parsing High
CVE-2026-59955 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
zhou-youyou Credited to zhou-youyou and Jarvis-Huanglz Jarvis-Huanglz Jarvis-Huanglz
Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching High
CVE-2026-59954 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
zhou-youyou Credited to zhou-youyou and Jarvis-Huanglz Jarvis-Huanglz Jarvis-Huanglz
Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass Critical
CVE-2026-47065 was published for org.apache.mina:mina-core (Maven) Jun 3, 2026
Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center Moderate
CVE-2025-32781 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
lesignals Credited to lesignals
Jaspersoft Reports: Java Deserialization Vulnerability Lleads to Remote Code Execution (RCE) High
CVE-2026-6009 was published for net.sf.jasperreports:jasperreports (Maven) May 19, 2026
pmurck Credited to pmurck and yaso-bash yaso-bash yaso-bash
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login Low
CVE-2026-48589 was published for org.apache.shiro:shiro-jakarta-ee (Maven) May 26, 2026
yeikel Credited to yeikel
Infinispan: Deserialization of untrusted data in the Hot Rod Java client via automatic byte-array deserialization High
CVE-2016-0750 was published for org.infinispan:infinispan-core (Maven) May 13, 2022
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion Moderate
CVE-2026-48043 was published for io.netty:netty-codec-http2 (Maven) Jun 11, 2026
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records High
CVE-2026-45674 was published for io.netty:netty-resolver-dns (Maven) Jun 8, 2026
violetagg Credited to violetagg
Netty has Insufficient Bailiwick Validation for NS Records High
CVE-2026-47691 was published for io.netty:netty-resolver-dns (Maven) Jun 8, 2026
violetagg Credited to violetagg
Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator High
CVE-2026-48006 was published for io.netty:netty-codec-redis (Maven) Jun 11, 2026
Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion High
CVE-2026-48059 was published for io.netty:netty-codec-haproxy (Maven) Jun 11, 2026
Micronaut has unbounded `formattersCache` in `TimeConverterRegistrar` that Allows Memory Exhaustion via `Accept-Language` Header High
CVE-2026-44241 was published for io.micronaut:micronaut-context (Maven) May 6, 2026
offset Credited to offset
Apache Calcite is Vulnerable to Use of Externally-Controlled Input to Select Classes Moderate
CVE-2026-46718 was published for org.apache.calcite:calcite-core (Maven) Jun 2, 2026
Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All have an Exposure of Sensitive Information Through Metadata vulnerability Moderate
CVE-2026-49270 was published for org.apache.activemq:activemq-all (Maven) Jun 1, 2026
ProTip! Advisories are also available from the GraphQL API