Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,951
Maven
5,000+
npm
4,597
NuGet
787
pip
4,304
Pub
12
RubyGems
982
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

828 advisories

Loading
Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests Critical
CVE-2025-12543 was published for io.undertow:undertow-core (Maven) Jan 7, 2026
aldexis dpogorelov
Credited to aldexis and dpogorelov
Eclipse Jersey has a Race Condition Critical
CVE-2025-12383 was published for org.glassfish.jersey.core:jersey-client (Maven) Nov 18, 2025
irene221b yeikel
Credited to irene221b and yeikel
JinJava Bypass through ForTag leads to Arbitrary Java Execution Critical
CVE-2026-25526 was published for com.hubspot.jinjava:jinjava (Maven) Feb 3, 2026
twilliamson-an akues-an
jasmith-hs
Credited to twilliamson-an, akues-an, and jasmith-hs
H2O has an External Control of File Name or Path vulnerability Critical
CVE-2024-5986 was published for ai.h2o:h2o-core (Maven) Feb 2, 2026
SSRF vulnerability using the Aegis DataBinding in Apache CXF Critical
CVE-2024-28752 was published for org.apache.cxf:cxf-rt-databinding-aegis (Maven) Mar 15, 2024
johnament
Credited to johnament
XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability Critical
CVE-2025-64087 was published for fr.opensagres.xdocreport:fr.opensagres.xdocreport.template.freemarker (Maven) Jan 20, 2026
kevinleturc
Credited to kevinleturc
Apache Continuum vulnerable to Command Injection through Installations REST API Critical
CVE-2016-15057 was published for org.apache.continuum:continuum (Maven) Jan 26, 2026
com.enonic.xp:lib-auth vulnerable to Session Fixation Critical
CVE-2024-23679 was published for com.enonic.xp:lib-auth (Maven) Oct 12, 2022
Duplicate Advisory: Session fixation in Enonic XP Critical
GHSA-4hrp-m3f2-643j was published for com.enonic.xp:lib-auth (Maven) Jan 19, 2024 withdrawn
Hard-coded System User Credentials in Folio Data Export Spring module Critical
CVE-2024-23687 was published for org.folio:mod-data-export-spring (Maven) Jul 25, 2023
Duplicate Advisory: Hard-coded credentials in org.folio:mod-data-export-spring Critical
GHSA-9rhq-86fm-qxqc was published for org.folio:mod-data-export-spring (Maven) Jan 20, 2024 withdrawn
XDocReport affected by an XML External Entity (XXE) vulnerability Critical
CVE-2025-65482 was published for fr.opensagres.xdocreport:fr.opensagres.xdocreport.document (Maven) Jan 20, 2026
XWiki allows SQL injection in query endpoint of REST API with Oracle Critical
CVE-2024-56158 was published for org.xwiki.platform:xwiki-platform-oldcore (Maven) Jun 12, 2025
XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService Critical
CVE-2025-65091 was published for org.xwiki.contrib:macro-fullcalendar-pom (Maven) Jan 9, 2026
FASTJSON Includes Functionality from Untrusted Control Sphere Critical
CVE-2025-70974 was published for com.alibaba:fastjson (Maven) Jan 9, 2026
Improper Input Validation in net.sf.robocode:robocode.host allows for external service interaction Critical
CVE-2019-10648 was published for net.sf.robocode:robocode.host (Maven) Apr 2, 2019
Default CORS config allows any origin with credentials Critical
CVE-2021-39185 was published for org.http4s:http4s-server_2.10 (Maven) Sep 2, 2021
bplommer
Credited to bplommer
Robocode has an insecure temporary file creation vulnerability in the AutoExtract component Critical
CVE-2025-14307 was published for net.sf.robocode:robocode.battle (Maven) Dec 9, 2025
Robocode vulnerable to Directory Traversal in recursivelyDelete Method Critical
CVE-2025-14306 was published for net.sf.robocode:robocode.core (Maven) Dec 9, 2025
Apache Tika has XXE vulnerability Critical
CVE-2025-66516 was published for org.apache.tika:tika-core (Maven) Dec 4, 2025
Apache Druid’s Kerberos authenticator uses a weak fallback secret Critical
CVE-2025-59390 was published for org.apache.druid:druid (Maven) Nov 26, 2025
Apache Causeway vulnerable to deserialization in Java Critical
CVE-2025-64408 was published for org.apache.causeway.commons:causeway-commons (Maven) Nov 19, 2025
Apache IoTDB: Deserialization of untrusted Data Critical
CVE-2025-48459 was published for org.apache.iotdb:iotdb-confignode (Maven) Sep 24, 2025
cai0duque
Credited to cai0duque
Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF Critical
CVE-2025-54988 was published for org.apache.tika:tika-parser-pdf-module (Maven) Aug 20, 2025
vlsi
Credited to vlsi
Apache Zeppelin remote code execution by adding malicious JDBC connection string Critical
CVE-2024-31864 was published for org.apache.zeppelin:zeppelin-jdbc (Maven) Apr 9, 2024
oscerd
Credited to oscerd
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database