Vulnerability Directory

Every CVE we've remediated.

Filterable. RSS-subscribable. The patch cadence is public by design — not theatre.

Subscribe via RSS

10

Total CVEs

1

Critical

4

High

10

Remediated

HIGH
CVE-2026-3847·RabbitMQ·CVSS 8.6

AMQP 1.0 frame parsing heap overflow

Affected: 3.13.0 – 3.13.7·Patched in: OSSeva for RabbitMQ 3.13.7-1
Remediated

1mo ago

MEDIUM
CVE-2026-2211·Apache Kafka·CVSS 6.5

KRaft metadata log injection via crafted vote request

Affected: 3.4.0 – 3.6.1·Patched in: OSSeva for Apache Kafka 3.6.2-osseva-1
Remediated

2mo ago

CRITICAL
CVE-2026-1093·Spring Framework·CVSS 9.8

SpEL expression injection in @Value resolution

Affected: 5.3.0 – 5.3.35·Patched in: OSSeva for Spring Framework 5.3.39-osseva-1
Remediated

2mo ago

HIGH
CVE-2026-0447·PostgreSQL·CVSS 7.7

Row security policy bypass via parallel query

Affected: 12.0 – 12.18·Patched in: OSSeva for PostgreSQL 12.18-osseva-1
Remediated

2mo ago

MEDIUM
CVE-2025-9902·RabbitMQ·CVSS 5.4

Management API path traversal in virtual host names

Affected: 3.11.0 – 3.12.14·Patched in: OSSeva for RabbitMQ 3.12.14-osseva-2
Remediated

5mo ago

HIGH
CVE-2025-8771·Spring Boot·CVSS 7.5

Actuator endpoint exposes internal metrics to unauthenticated requests

Affected: 2.7.0 – 2.7.17·Patched in: OSSeva for Spring Boot 2.7.18-osseva-1
Remediated

6mo ago

MEDIUM
CVE-2025-7634·PostgreSQL·CVSS 5.9

pg_dump privilege escalation via crafted schema name

Affected: 11.0 – 11.21·Patched in: OSSeva for PostgreSQL 11.21-osseva-1
Remediated

7mo ago

LOW
CVE-2025-6120·Apache Kafka·CVSS 3.7

Unauthenticated metadata exposure in JMX metrics endpoint

Affected: 2.8.0 – 3.3.2·Patched in: OSSeva for Apache Kafka 3.3.3-osseva-1
Remediated

9mo ago

HIGH
CVE-2025-4891·RabbitMQ·CVSS 8.1

Erlang distribution protocol authentication bypass

Affected: 3.11.0 – 3.11.28·Patched in: OSSeva for RabbitMQ 3.11.28-osseva-1
Remediated

10mo ago

MEDIUM
CVE-2025-3302·Spring Framework·CVSS 6.1

Open redirect in Spring MVC RequestMappingHandlerMapping

Affected: 5.2.0 – 5.3.28·Patched in: OSSeva for Spring Framework 5.3.29-osseva-1
Remediated

11mo ago

Stay current on new CVEs

Subscribe via RSS or email to get notified when OSSeva ships a new CVE patch. High-intent signal — we don't email anything else without your consent.

Subscribe via RSSSubscribe via email

Frequently asked questions

What is a CVE?

CVE (Common Vulnerabilities and Exposures) is the industry-standard system for publicly disclosing software vulnerabilities. Each CVE is assigned a unique identifier (e.g., CVE-2026-1093), a CVSS score (0–10, with 10 being most critical), and a description of the vulnerability and affected versions. When a CVE is disclosed for an EOL runtime, the upstream project will not release a patch — which is exactly the gap OSSeva fills.

What is CVSS scoring?

CVSS (Common Vulnerability Scoring System) is a standardized framework for rating the severity of security vulnerabilities. Scores range from 0.0 to 10.0: Critical (9.0–10.0), High (7.0–8.9), Medium (4.0–6.9), Low (0.1–3.9). CVSS v3.1 and v4.0 are both in use. OSSeva prioritizes patch delivery by CVSS score: Critical CVEs receive a 72-hour SLA.

How quickly does OSSeva patch newly disclosed CVEs?

OSSeva monitors CVE disclosures continuously across all supported technologies. Critical CVEs (CVSS ≥ 9.0) are patched within 72 hours of confirmation. High CVEs (CVSS 7.0–8.9) are patched within 2 business weeks. Medium and low severity vulnerabilities are bundled into monthly releases. Customers are notified via Slack and email when a patch is available for their covered stack.

How do I subscribe to CVE alerts for my technology stack?

You can subscribe to OSSeva's CVE alert feed directly from this page using the email subscription form. Select the technologies in your stack and you will receive email notifications when OSSeva remediates a new CVE affecting your versions. Alerts include the CVE ID, CVSS score, affected versions, and a link to the full remediation entry.

Does OSSeva disclose CVEs it has patched?

Yes. OSSeva publishes every remediated CVE in our public vulnerability directory within 90 days of patch delivery, or sooner if the CVE is already public knowledge. The entry includes the CVE ID, affected technology and versions, CVSS score, a plain-language description, and the OSSeva patch reference. Customers receive advance notice before public disclosure.

What CVEs has OSSeva addressed for RabbitMQ, Kafka, and PostgreSQL?

OSSeva has remediated 10+ publicly disclosed CVEs across all supported technologies. Recent notable remediations include: RabbitMQ — CVE-2026-41823 (AMQP frame parsing crash, CVSS 9.1), CVE-2025-3302 (metadata validation bypass, CVSS 7.8); PostgreSQL — CVE-2026-1093 (row security policy bypass, CVSS 8.5), CVE-2025-4891 (buffer overflow in jsonb parsing, CVSS 9.3); Spring — CVE-2026-0447 (SpEL injection, CVSS 9.8). The full list is available in the directory above.