Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,673
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,891
Pub
13
RubyGems
1,051
Rust
1,315
Swift
53
Unreviewed advisories
All unreviewed
5,000+

96 advisories

Loading
Apache Storm Prometheus Reporter vulnerable to Improper Certificate Validation via Global SSL Context Downgrade Moderate
CVE-2026-40557 was published for org.apache.storm:storm-metrics-prometheus (Maven) Apr 27, 2026
Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager High
CVE-2026-24281 was published for org.apache.zookeeper:zookeeper (Maven) Mar 7, 2026
kascit Credited to kascit
Apache Tomcat - Client certificate verification bypass Moderate
CVE-2025-66614 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Feb 17, 2026
Jenson3210 Credited to Jenson3210
Elasticsearch PKI Realm Authentication Bypass Vulnerability Allows User Impersonation Through Crafted Client Certificates Moderate
CVE-2025-37731 was published for org.elasticsearch:elasticsearch (Maven) Dec 15, 2025
GeoIP processor disables SSL certificate validation when downloading databases Moderate
GHSA-3xgr-h5hq-7299 was published for org.opensearch.dataprepper.plugins:geoip-processor (Maven) Oct 15, 2025
OpenSearch Data Prepper uses deprecated SSL protocol identifier Moderate
GHSA-28gg-8qqj-fhh5 was published for org.opensearch.dataprepper.plugins:geoip-processor (Maven) Oct 15, 2025
OpenSearch Data Prepper plugins trust all SSL certificates by default High
CVE-2025-62371 was published for org.opensearch.dataprepper.plugins:opensearch (Maven) Oct 15, 2025
JRuby-OpenSSL has hostname verification disabled by default Moderate
CVE-2025-46551 was published for jruby-openssl (RubyGems) May 7, 2025
mohamedhafez Credited to mohamedhafez
Apache HttpClient disables domain checks High
CVE-2025-27820 was published for org.apache.httpcomponents.client5:httpclient5 (Maven) Apr 24, 2025
Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination High
CVE-2024-10039 was published for org.keycloak:keycloak-core (Maven) Nov 25, 2024
ahus1 Credited to ahus1 and westonsteimel westonsteimel westonsteimel
Missing hostname validation in Kroxylicious Moderate
CVE-2024-8285 was published for io.kroxylicious:kroxylicious-runtime (Maven) Aug 31, 2024
Jenkins Delphix Plugin has SSL/TLS certificate validation disabled by default Moderate
CVE-2024-28161 was published for org.jenkins-ci.plugins:delphix (Maven) Mar 6, 2024
Jenkins Delphix Plugin has improper SSL/TLS certificate validation Moderate
CVE-2024-28162 was published for org.jenkins-ci.plugins:delphix (Maven) Mar 6, 2024
Improper Certificate Validation in Apache DolphinScheduler High
CVE-2023-49250 was published for org.apache.dolphinscheduler:dolphinscheduler (Maven) Feb 20, 2024
light-oauth2 missing public key verification Moderate
CVE-2023-31580 was published for com.networknt:light-oauth2 (Maven) Oct 25, 2023
Withdrawn Advisory: Netty-handler does not validate host names by default Moderate
CVE-2023-4586 was published for io.netty:netty-handler (Maven) Oct 4, 2023 withdrawn
normanmaurer Credited to normanmaurer
Bouncy Castle For Java LDAP injection vulnerability Moderate
CVE-2023-33201 was published for org.bouncycastle:bcprov-debug-jdk14 (Maven) Jul 5, 2023
pavelarnost Credited to pavelarnost
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients High
CVE-2023-2422 was published for org.keycloak:keycloak-services (Maven) Jun 30, 2023
artsploit Credited to artsploit
Keycloak Untrusted Certificate Validation vulnerability Moderate
CVE-2023-1664 was published for org.keycloak:keycloak-core (Maven) Jun 30, 2023
SSL/TLS certificate validation disabled by default in Jenkins Checkmarx Plugin High
CVE-2023-35142 was published for com.checkmarx.jenkins:checkmarx (Maven) Jun 14, 2023
Duplicate Advisory: Keycloak vulnerable to untrusted certificate validation Moderate
GHSA-c892-cwq6-qrqf was published for org.keycloak:keycloak-core (Maven) May 26, 2023 withdrawn
Jenkins SAML Single Sign On(SSO) Plugin unconditionally disables SSL/TLS certificate validation Moderate
CVE-2023-32994 was published for io.jenkins.plugins:miniorange-saml-sp (Maven) May 16, 2023
Jenkins NeuVector Vulnerability Scanner Plugin disables SSL/TLS certificate and hostname validation Moderate
CVE-2023-30517 was published for io.jenkins.plugins:neuvector-vulnerability-scanner (Maven) Apr 12, 2023
Jenkins Image Tag Parameter Plugin improperly introduces option to opt out of SSL/TLS certificate validation Moderate
CVE-2023-30516 was published for org.jenkins-ci.plugins:image-tag-parameter (Maven) Apr 12, 2023
Apache Bookkeeper vulnerable to Improper Certificate Validation Moderate
CVE-2022-32531 was published for org.apache.bookkeeper:bookkeeper-common (Maven) Dec 15, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database