Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

111 advisories

Loading
Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature Moderate
CVE-2026-50560 was published for io.netty:netty-codec-http2 (Maven) Jun 15, 2026
ashleytolbert Credited to ashleytolbert
Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length High
CVE-2026-50011 was published for io.netty:netty-codec-redis (Maven) Jun 15, 2026
violetagg Credited to violetagg
Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion High
CVE-2026-48748 was published for io.netty:netty-codec-http3 (Maven) Jun 15, 2026
violetagg Credited to violetagg
In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header Moderate
CVE-2026-41726 was published for org.springframework.kafka:spring-kafka (Maven) Jun 10, 2026
julianladisch Credited to julianladisch
Netty: SCTP reassembly nests buffers without bound High
CVE-2026-46340 was published for io.netty:netty-transport-sctp (Maven) Jun 8, 2026
Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes High
CVE-2026-45416 was published for io.netty:netty-handler (Maven) Jun 8, 2026
OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation Moderate
CVE-2026-45292 was published for io.opentelemetry:opentelemetry-api (Maven) May 14, 2026
August829 Credited to August829, trask, and jack-berg trask trask
jack-berg jack-berg
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling High
CVE-2026-41284 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Vert.x has a DoS via unbounded server-side SNI SslContext cache growth Moderate
CVE-2026-6860 was published for io.vertx:vertx-core (Maven) May 9, 2026
shblue21 Credited to shblue21, Preethi-30, and julianladisch Preethi-30 Preethi-30
julianladisch julianladisch
Netty Lz4FrameDecoder is vulnerable to resource exhaustion High
CVE-2026-42583 was published for io.netty:netty-codec (Maven) May 7, 2026
violetagg Credited to violetagg
Netty HTTP/3 QPACK literal unbounded allocation High
CVE-2026-42582 was published for io.netty:netty-codec-http3 (Maven) May 7, 2026
violetagg Credited to violetagg
pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS High
CVE-2026-42198 was published for org.postgresql:postgresql (Maven) May 5, 2026
sehrope Credited to sehrope
XWiki's REST APIs can list all pages/spaces, leading to unavailability Moderate
CVE-2026-40104 was published for org.xwiki.platform:xwiki-platform-legacy-oldcore (Maven) Apr 14, 2026
Jackson Core: Document length constraint bypass in blocking, async, and DataInput parsers High
GHSA-2m67-wjpj-xhg9 was published for tools.jackson.core:jackson-core (Maven) Apr 4, 2026
anyzy2003 Credited to anyzy2003, Adrian-Hirt, and pjfanning Adrian-Hirt Adrian-Hirt
pjfanning pjfanning
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass High
CVE-2026-33871 was published for io.netty:netty-codec-http2 (Maven) Mar 26, 2026
sprabhav7 Credited to sprabhav7
Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests Moderate
CVE-2026-3260 was published for io.undertow:undertow-core (Maven) Mar 24, 2026
Micronaut Framework vulnerable to a Denial of Service in HTML error response caching High
CVE-2026-33012 was published for io.micronaut:micronaut-http-server (Maven) Mar 17, 2026
shblue21 Credited to shblue21
jackson-core has Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion High
CVE-2026-29062 was published for tools.jackson.core:jackson-core (Maven) Mar 4, 2026
sprabhav7 Credited to sprabhav7 and rohan-repos rohan-repos rohan-repos
jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition Moderate
GHSA-72hv-8253-57qq was published for com.fasterxml.jackson.core:jackson-core (Maven) Feb 28, 2026
sprabhav7 Credited to sprabhav7, rohan-repos, neilmadden-hazelcast, and awsactran rohan-repos rohan-repos
neilmadden-hazelcast neilmadden-hazelcast awsactran awsactran
Undertow Servlets Vulnerable to Remote DoS via OutOfMemoryError when Passed Large Parameter Names High
CVE-2024-4027 was published for io.undertow:undertow-core (Maven) Jan 30, 2026
za-rudeboy Credited to za-rudeboy
Quarkus REST has potential worker thread starvation when HTTP connection is closed while waiting to write Moderate
CVE-2025-66560 was published for io.quarkus:quarkus-rest (Maven) Jan 7, 2026
Elasticsearch has Excessive Allocation of Resources via Submission of Oversized User Settings Data Moderate
CVE-2025-68384 was published for org.elasticsearch.plugin:x-pack-security (Maven) Dec 19, 2025
Elasticsearch privileged authenticated users can cause DoS through Excessive Resource Allocation Moderate
CVE-2025-68390 was published for org.elasticsearch.plugin:x-pack-core (Maven) Dec 19, 2025
XWiki's REST APIs don't enforce any limits, leading to unavailability and OOM in large wikis High
CVE-2025-66473 was published for org.xwiki.platform:xwiki-platform-rest-server (Maven) Dec 10, 2025
Keycloak TLS Client-Initiated Renegotiation Denial of Service High
CVE-2025-11419 was published for org.keycloak:keycloak-quarkus-dist (Maven) Oct 27, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database