GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,950
Erlang
39
GitHub Actions
38
Go
2,603
Maven
5,000+
npm
4,250
NuGet
755
pip
4,013
Pub
12
RubyGems
953
Rust
1,048
Swift
45
Unreviewed advisories
All unreviewed
5,000+
6,053 advisories
Filter by severity
Liferay Portal ComboServlet denial of service via large file combination
Moderate
CVE-2025-62254
was published
for
com.liferay.portal:com.liferay.portal.impl
(Maven)
Oct 24, 2025
MCMS reflected cross-site scripting (XSS) vulnerability
Moderate
CVE-2025-60837
was published
for
net.mingsoft:ms-mcms
(Maven)
Oct 23, 2025
Liferay Portal Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page
Low
CVE-2025-62255
was published
for
com.liferay:com.liferay.knowledge.base.web
(Maven)
Oct 23, 2025
Liferay Portal and DXP do not properly restrict access to OpenAPI
Moderate
CVE-2025-62256
was published
for
com.liferay:com.liferay.portal.security.auth.verifier
(Maven)
Oct 23, 2025
Keycloak does not invalidate sessions when "Remember Me" is disabled
Moderate
CVE-2025-11429
was published
for
org.keycloak:keycloak-services
(Maven)
Oct 23, 2025
Keycloak does not invalidate offline sessions when the offline_access scope is removed
Moderate
CVE-2025-12110
was published
for
org.keycloak:keycloak-services
(Maven)
Oct 23, 2025
Liferay Portal and DXP are Missing Authorization in Collection Provider
Low
CVE-2025-62247
was published
for
com.liferay:com.liferay.search.experiences.service
(Maven)
Oct 22, 2025
Liferay Portal and Liferay DXP vulnerable to reflected cross-site scripting (XSS)
Moderate
CVE-2025-62248
was published
for
com.liferay:com.liferay.dynamic.data.mapping.web
(Maven)
Oct 22, 2025
Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl
Moderate
CVE-2025-62710
was published
for
org.sakaiproject.kernel:sakai-kernel-impl
(Maven)
Oct 22, 2025
Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names
Low
CVE-2025-11966
was published
for
io.vertx:vertx-web
(Maven)
Oct 22, 2025
Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories
Moderate
CVE-2025-11965
was published
for
io.vertx:vertx-web
(Maven)
Oct 22, 2025
Liferay Portal reflected cross-site scripting (XSS) vulnerability in the google_gaget
Moderate
CVE-2025-62249
was published
for
com.liferay.portal:com.liferay.portal.impl
(Maven)
Oct 21, 2025
Liferay Portal fails to verify messages from the cluster network is trusted
Moderate
CVE-2025-62250
was published
for
com.liferay:com.liferay.portal.cluster.multiple
(Maven)
Oct 21, 2025
Apache Syncope allows malicious administrators to inject Groovy code
High
CVE-2025-57738
was published
for
org.apache.syncope.core:syncope-core-spring
(Maven)
Oct 20, 2025
Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system
High
CVE-2025-47410
was published
for
org.apache.geode:geode-web
(Maven)
Oct 18, 2025
MCMS vulnerable SQL injection via the content_title parameter
Critical
CVE-2025-56316
was published
for
net.mingsoft:ms-mcms
(Maven)
Oct 17, 2025
Keycloak error_description injection on error pages that can trigger phishing attacks
Moderate
CVE-2025-10044
was published
for
org.keycloak:keycloak-account-ui
(Maven)
Oct 17, 2025
Mammoth is vulnerable to Directory Traversal
Moderate
CVE-2025-11849
was published
for
Mammoth
(Maven)
Oct 17, 2025
Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection
High
CVE-2025-41253
was published
for
org.springframework.cloud:spring-cloud-gateway-server-webflux
(Maven)
Oct 16, 2025
Spring Framework STOMP over WebSocket applications may allow attackers to send unauthorized messages
Moderate
CVE-2025-41254
was published
for
org.springframework:spring-websocket
(Maven)
Oct 16, 2025
GeoIP processor disables SSL certificate validation when downloading databases
Moderate
GHSA-3xgr-h5hq-7299
was published
for
org.opensearch.dataprepper.plugins:geoip-processor
(Maven)
Oct 15, 2025
OpenSearch Data Prepper uses deprecated SSL protocol identifier
Moderate
GHSA-28gg-8qqj-fhh5
was published
for
org.opensearch.dataprepper.plugins:geoip-processor
(Maven)
Oct 15, 2025
OpenSearch Data Prepper plugins trust all SSL certificates by default
High
CVE-2025-62371
was published
for
org.opensearch.dataprepper.plugins:opensearch
(Maven)
Oct 15, 2025
Netty has SMTP Command Injection Vulnerability that Allows Email Forgery
High
CVE-2025-59419
was published
for
io.netty:netty-codec-smtp
(Maven)
Oct 15, 2025
Apache Spark has Inadequate Encryption Strength
Moderate
CVE-2025-55039
was published
for
org.apache.spark:spark-network-common_2.12
(Maven)
Oct 15, 2025
ProTip!
Advisories are also available from the
GraphQL API