GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,323
Maven
5,000+
npm
5,000+
NuGet
1,031
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,494
Swift
61
Unreviewed advisories
All unreviewed
5,000+
6,802 advisories
Filter by severity
dd-trace-java: Improper parsing of W3C baggage headers may lead to DoS
High
CVE-2026-50270
was published
for
com.datadoghq:dd-java-agent
(Maven)
Jul 15, 2026
Apache Fory Java SDK Has Deserialization of Untrusted Data in the Java replace-resolve path
Critical
CVE-2026-50076
was published
for
org.apache.fory:fory-core
(Maven)
Jun 4, 2026
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls
High
CVE-2025-14874
was published
for
nodemailer
(Maven)
Dec 1, 2025
Logback vulnerable to Object Injection through HardenedObjectInputStream modules
Low
CVE-2026-10532
was published
for
ch.qos.logback:logback-core
(Maven)
Jun 1, 2026
Armeria: External Control of File Name or Path in xDS SDS DataSource
Moderate
CVE-2026-11752
was published
for
com.linecorp.armeria:armeria-xds
(Maven)
Jun 18, 2026
GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
High
CVE-2025-52465
was published
for
org.geoserver.web:gs-web-app
(Maven)
Jun 12, 2026
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
High
CVE-2025-27511
was published
for
org.geoserver.extension:gs-db2
(Maven)
Jun 11, 2026
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation
Low
CVE-2026-4874
was published
for
org.keycloak:keycloak-services
(Maven)
Mar 26, 2026
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim
Low
CVE-2026-37977
was published
for
org.keycloak:keycloak-services
(Maven)
Apr 6, 2026
Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder
High
CVE-2026-44891
was published
for
io.netty:netty-codec-stomp
(Maven)
Jul 14, 2026
Apollo ConfigService access key authentication bypass via raw config file appId parsing
High
CVE-2026-59955
was published
for
com.ctrip.framework.apollo:apollo
(Maven)
Jul 13, 2026
Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching
High
CVE-2026-59954
was published
for
com.ctrip.framework.apollo:apollo
(Maven)
Jul 13, 2026
Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass
Critical
CVE-2026-47065
was published
for
org.apache.mina:mina-core
(Maven)
Jun 3, 2026
Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center
Moderate
CVE-2025-32781
was published
for
com.ctrip.framework.apollo:apollo
(Maven)
Jul 13, 2026
Jaspersoft Reports: Java Deserialization Vulnerability Lleads to Remote Code Execution (RCE)
High
CVE-2026-6009
was published
for
net.sf.jasperreports:jasperreports
(Maven)
May 19, 2026
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login
Low
CVE-2026-48589
was published
for
org.apache.shiro:shiro-jakarta-ee
(Maven)
May 26, 2026
Infinispan: Deserialization of untrusted data in the Hot Rod Java client via automatic byte-array deserialization
High
CVE-2016-0750
was published
for
org.infinispan:infinispan-core
(Maven)
May 13, 2022
netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion
Moderate
CVE-2026-48043
was published
for
io.netty:netty-codec-http2
(Maven)
Jun 11, 2026
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records
High
CVE-2026-45674
was published
for
io.netty:netty-resolver-dns
(Maven)
Jun 8, 2026
Netty has Insufficient Bailiwick Validation for NS Records
High
CVE-2026-47691
was published
for
io.netty:netty-resolver-dns
(Maven)
Jun 8, 2026
Netty's Lack of Lifecycle Cleanup Leads to Pooled ByteBuf Leak in RedisArrayAggregator
High
CVE-2026-48006
was published
for
io.netty:netty-codec-redis
(Maven)
Jun 11, 2026
Netty HAProxy: Unbalanced Reference Count in Nested PP2_TYPE_SSL TLV Parsing Leads to Memory Exhaustion
High
CVE-2026-48059
was published
for
io.netty:netty-codec-haproxy
(Maven)
Jun 11, 2026
Micronaut has unbounded `formattersCache` in `TimeConverterRegistrar` that Allows Memory Exhaustion via `Accept-Language` Header
High
CVE-2026-44241
was published
for
io.micronaut:micronaut-context
(Maven)
May 6, 2026
Apache Calcite is Vulnerable to Use of Externally-Controlled Input to Select Classes
Moderate
CVE-2026-46718
was published
for
org.apache.calcite:calcite-core
(Maven)
Jun 2, 2026
Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All have an Exposure of Sensitive Information Through Metadata vulnerability
Moderate
CVE-2026-49270
was published
for
org.apache.activemq:activemq-all
(Maven)
Jun 1, 2026
ProTip!
Advisories are also available from the
GraphQL API