Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
4,950
Erlang
39
GitHub Actions
38
Go
2,603
Maven
5,000+
npm
4,250
NuGet
755
pip
4,013
Pub
12
RubyGems
953
Rust
1,048
Swift
45
Unreviewed advisories
All unreviewed
5,000+

6,053 advisories

Loading
Liferay Portal ComboServlet denial of service via large file combination Moderate
CVE-2025-62254 was published for com.liferay.portal:com.liferay.portal.impl (Maven) Oct 24, 2025
MCMS reflected cross-site scripting (XSS) vulnerability Moderate
CVE-2025-60837 was published for net.mingsoft:ms-mcms (Maven) Oct 23, 2025
Liferay Portal Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page Low
CVE-2025-62255 was published for com.liferay:com.liferay.knowledge.base.web (Maven) Oct 23, 2025
Liferay Portal and DXP do not properly restrict access to OpenAPI Moderate
CVE-2025-62256 was published for com.liferay:com.liferay.portal.security.auth.verifier (Maven) Oct 23, 2025
Keycloak does not invalidate sessions when "Remember Me" is disabled Moderate
CVE-2025-11429 was published for org.keycloak:keycloak-services (Maven) Oct 23, 2025
Keycloak does not invalidate offline sessions when the offline_access scope is removed Moderate
CVE-2025-12110 was published for org.keycloak:keycloak-services (Maven) Oct 23, 2025
Liferay Portal and DXP are Missing Authorization in Collection Provider Low
CVE-2025-62247 was published for com.liferay:com.liferay.search.experiences.service (Maven) Oct 22, 2025
Liferay Portal and Liferay DXP vulnerable to reflected cross-site scripting (XSS) Moderate
CVE-2025-62248 was published for com.liferay:com.liferay.dynamic.data.mapping.web (Maven) Oct 22, 2025
Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl Moderate
CVE-2025-62710 was published for org.sakaiproject.kernel:sakai-kernel-impl (Maven) Oct 22, 2025
Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names Low
CVE-2025-11966 was published for io.vertx:vertx-web (Maven) Oct 22, 2025
Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories Moderate
CVE-2025-11965 was published for io.vertx:vertx-web (Maven) Oct 22, 2025
Liferay Portal reflected cross-site scripting (XSS) vulnerability in the google_gaget Moderate
CVE-2025-62249 was published for com.liferay.portal:com.liferay.portal.impl (Maven) Oct 21, 2025
Liferay Portal fails to verify messages from the cluster network is trusted Moderate
CVE-2025-62250 was published for com.liferay:com.liferay.portal.cluster.multiple (Maven) Oct 21, 2025
Apache Syncope allows malicious administrators to inject Groovy code High
CVE-2025-57738 was published for org.apache.syncope.core:syncope-core-spring (Maven) Oct 20, 2025
Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system High
CVE-2025-47410 was published for org.apache.geode:geode-web (Maven) Oct 18, 2025
MCMS vulnerable SQL injection via the content_title parameter Critical
CVE-2025-56316 was published for net.mingsoft:ms-mcms (Maven) Oct 17, 2025
Keycloak error_description injection on error pages that can trigger phishing attacks Moderate
CVE-2025-10044 was published for org.keycloak:keycloak-account-ui (Maven) Oct 17, 2025
Mammoth is vulnerable to Directory Traversal Moderate
CVE-2025-11849 was published for Mammoth (Maven) Oct 17, 2025
Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection High
CVE-2025-41253 was published for org.springframework.cloud:spring-cloud-gateway-server-webflux (Maven) Oct 16, 2025
Spring Framework STOMP over WebSocket applications may allow attackers to send unauthorized messages Moderate
CVE-2025-41254 was published for org.springframework:spring-websocket (Maven) Oct 16, 2025
GeoIP processor disables SSL certificate validation when downloading databases Moderate
GHSA-3xgr-h5hq-7299 was published for org.opensearch.dataprepper.plugins:geoip-processor (Maven) Oct 15, 2025
OpenSearch Data Prepper uses deprecated SSL protocol identifier Moderate
GHSA-28gg-8qqj-fhh5 was published for org.opensearch.dataprepper.plugins:geoip-processor (Maven) Oct 15, 2025
OpenSearch Data Prepper plugins trust all SSL certificates by default High
CVE-2025-62371 was published for org.opensearch.dataprepper.plugins:opensearch (Maven) Oct 15, 2025
Netty has SMTP Command Injection Vulnerability that Allows Email Forgery High
CVE-2025-59419 was published for io.netty:netty-codec-smtp (Maven) Oct 15, 2025
DepthFirstDisclosures
Credited to DepthFirstDisclosures
Apache Spark has Inadequate Encryption Strength Moderate
CVE-2025-55039 was published for org.apache.spark:spark-network-common_2.12 (Maven) Oct 15, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database