Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

128 advisories

Loading
Improper neutralization of special elements used in an expression language statement ('expression... Moderate Unreviewed
CVE-2026-11561 was published Jun 11, 2026
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious... Moderate Unreviewed
CVE-2026-40985 was published Jun 11, 2026
A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is... Moderate Unreviewed
CVE-2026-41719 was published Jun 10, 2026
Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when... High Unreviewed
CVE-2026-41729 was published Jun 10, 2026
Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection... High Unreviewed
CVE-2026-41717 was published Jun 10, 2026
Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server... High Unreviewed
CVE-2026-8888 was published Jun 3, 2026
Caddy CVE-2026-30852 Fix Bypass Moderate
GHSA-wwhq-w58m-w29c was published for github.com/caddyserver/caddy/v2 (Go) May 19, 2026
everping Credited to everping
GlassFish's gadget handler is vulnerable to RCE Critical
CVE-2026-2587 was published for org.glassfish.jsftemplating:jsftemplating (Maven) May 19, 2026
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression... Moderate Unreviewed
CVE-2026-31380 was published May 19, 2026
Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron... High Unreviewed
CVE-2026-26462 was published May 18, 2026
Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs High
CVE-2026-41705 was published for org.springframework.ai:spring-ai-milvus-store (Maven) May 9, 2026
Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns Critical
CVE-2026-41901 was published for org.thymeleaf:thymeleaf (Maven) May 4, 2026
cristianstaicu Credited to cristianstaicu
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping High
CVE-2026-41883 was published for org.omnifaces:omnifaces (Maven) Apr 16, 2026
clapbr Credited to clapbr
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf Critical
CVE-2026-40478 was published for org.thymeleaf:thymeleaf (Maven) Apr 15, 2026
Improper restriction of the scope of accessible objects in Thymeleaf expressions Critical
CVE-2026-40477 was published for org.thymeleaf:thymeleaf (Maven) Apr 15, 2026
Expression Injection in OpenRemote Critical
CVE-2026-39842 was published for io.openremote:openremote-manager (Maven) Apr 14, 2026
qxyuan853 Credited to qxyuan853
Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key Critical
CVE-2026-22738 was published for org.springframework.ai:spring-ai-vector-store (Maven) Mar 27, 2026
JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter High
CVE-2026-22729 was published for org.springframework.ai:spring-ai-vector-store (Maven) Mar 18, 2026
Apache IoTDB has an Improper Input Validation vulnerability Critical
CVE-2026-24713 was published for org.apache.iotdb:iotdb-core (Maven) Mar 9, 2026
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression... High Unreviewed
CVE-2025-11175 was published Jan 30, 2026
Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection High
CVE-2025-41253 was published for org.springframework.cloud:spring-cloud-gateway-server (Maven) Oct 16, 2025
scottfrederick Credited to scottfrederick
Hutool allows remote code execution (RCE) via the QLExpressEngine class High
CVE-2025-56769 was published for cn.hutool:hutool-extra (Maven) Sep 26, 2025
An improper neutralization of inputs used in expression language allows remote code execution... Critical Unreviewed
CVE-2025-3322 was published Jun 6, 2025
IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an... Critical Unreviewed
CVE-2024-51466 was published Dec 20, 2024
QOS.CH logback-core Expression Language Injection vulnerability Moderate
CVE-2024-12798 was published for ch.qos.logback:logback-core (Maven) Dec 19, 2024
HTHou Credited to HTHou, perexis, GoetzGoerisch, and pjfanning perexis perexis
GoetzGoerisch GoetzGoerisch pjfanning pjfanning
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database