Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

6,352 advisories

Loading
MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *) Moderate
CVE-2026-34237 was published for io.modelcontextprotocol.sdk:mcp-core (Maven) Mar 30, 2026
srikanthramu Credited to srikanthramu
FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft Critical
CVE-2026-34361 was published for ca.uhn.hapi.fhir:org.hl7.fhir.validation (Maven) Mar 30, 2026
offset Credited to offset
FHIR Validator: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing Moderate
CVE-2026-34360 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect High
CVE-2026-34359 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON High
CVE-2026-34214 was published for io.trino:trino-iceberg (Maven) Mar 29, 2026
findinpath Credited to findinpath, ebyhr, chenjian2664, losipiuk, and findepi ebyhr ebyhr
chenjian2664 chenjian2664 losipiuk losipiuk findepi findepi
AWS SDK for Java 2.0: Improper Handling of Special Characters in CloudFront Signing Utilities High
GHSA-443w-3rq3-5m5h was published for software.amazon.awssdk:cloudfront (Maven) Mar 27, 2026
Undertow is Vulnerable to HTTP Request/Response Smuggling High
CVE-2026-28369 was published for io.undertow:undertow-parent (Maven) Mar 27, 2026
Undertow is Vulnerable to HTTP Request/Response Smuggling High
CVE-2026-28368 was published for io.undertow:undertow-parent (Maven) Mar 27, 2026
Undertow is Vulnerable to HTTP Request/Response Smuggling High
CVE-2026-28367 was published for io.undertow:undertow-parent (Maven) Mar 27, 2026
Spring AI: Insufficient Validation causes SSRF when processing multimodal messages with user-supplied URLs High
CVE-2026-22742 was published for org.springframework.ai:spring-ai-bedrock-converse (Maven) Mar 27, 2026
Spring AI has a Cypher Injection vulnerability in Neo4jVectorFilterExpressionConverter High
CVE-2026-22743 was published for org.springframework.ai:spring-ai-neo4j-store (Maven) Mar 27, 2026
Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters High
CVE-2026-22744 was published for org.springframework.ai:spring-ai-redis-store (Maven) Mar 27, 2026
Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key Critical
CVE-2026-22738 was published for org.springframework.ai:spring-ai-vector-store (Maven) Mar 27, 2026
Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure Moderate
CVE-2026-3190 was published for org.keycloak:keycloak-model-jpa (Maven) Mar 26, 2026
Keycloak: manage-clients permission escalates to full realm admin access Moderate
CVE-2026-3121 was published for org.keycloak:keycloak-services (Maven) Mar 26, 2026
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass High
CVE-2026-33871 was published for io.netty:netty-codec-http2 (Maven) Mar 26, 2026
sprabhav7 Credited to sprabhav7
Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-33870 was published for io.netty:netty-codec-http (Maven) Mar 26, 2026
xclow3n Credited to xclow3n
splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution Critical
GHSA-h8w2-rv57-vc6f was published for com.splunk:splunk-otel-javaagent (Maven) Mar 26, 2026
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution Critical
CVE-2026-33728 was published for com.datadoghq:dd-java-agent (Maven) Mar 26, 2026
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation Low
CVE-2026-4874 was published for org.keycloak:keycloak-services (Maven) Mar 26, 2026
krapovneru Credited to krapovneru
pf4j is vulnerable to Path Traversal or Zip Slip attack through improper handling of zip entry names High
CVE-2025-70952 was published for org.pf4j:pf4j (Maven) Mar 25, 2026
OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution Critical
CVE-2026-33701 was published for io.opentelemetry.javaagent:opentelemetry-javaagent (Maven) Mar 25, 2026
Plexus-Utils has a Directory Traversal vulnerability in its extractFile method High
CVE-2025-67030 was published for org.codehaus.plexus:plexus-utils (Maven) Mar 25, 2026
sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows Moderate
CVE-2026-32948 was published for org.scala-sbt:sbt (Maven) Mar 24, 2026
anatoliykmetyuk Credited to anatoliykmetyuk and eed3si9n eed3si9n eed3si9n
Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol Low
CVE-2026-32642 was published for org.apache.activemq:artemis-openwire-protocol (Maven) Mar 24, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database