Today, Liquibase is proud to release the open source Liquibase CVE Library (Common Vulnerabilities and Exposures Library) to foster security and transparency across the Liquibase Community. The free, publicly available library helps users of older versions of Liquibase Community identify existing vulnerabilities and get a clearer sense of their security posture. By tying vulnerability data directly to Liquibase releases, the CVE Library helps teams see their risk exposure, compare versions, and take informed action to secure the software they run.
Attackers need only to find a single exploit to breach a network and IT infrastructure, making comprehensive CVE libraries increasingly invaluable to security teams seeking to stay ahead of Mythos-class threat capabilities by patching all known weaknesses before they can be targeted.
To date, the Liquibase Community project has been downloaded over 100 million times.
How does the Liquibase CVE Library work?
Every time Liquibase ships a new release, automated security scanning tools analyze both the Docker image and the Liquibase binary for known vulnerabilities. Scanning also runs against previously published images, maintaining an up-to-date view of the evolving threat landscape and catching anything that surfaces post-release. The site organizes everything by image and version. You can see a high-level security grade and CVE counts for the latest release, drill into any specific version for the full vulnerability list, or use the comparison tool to see exactly which CVEs were resolved, or introduced, between two releases.
Which environments are supported?
- Docker images: The official Liquibase Community Docker image.
- Liquibase binary: Vulnerabilities in the Liquibase JARs themselves, regardless of how you install it.
What you’ll see
For each vulnerability, the CVE Library shows:
- CVE ID, Severity, and CVSS score: Presented with clear information and links to learn more.
- Affected package: The specific details needed to understand what is vulnerable.
- Fix available: The package version that resolves it, if one exists; and where applicable, the first Liquibase image version where the CVE no longer appears.
- Component type: Additional vulnerability details to help understand the risk.
- First-party vs. third-party: Whether the vulnerability is in Liquibase’s own code or an upstream dependency.
The full list is filterable by severity, component type, and keyword search, and can be exported as CSV or PDF. (Please also see figures with press release link on Business Wire, linked above.)
Part of a broader commitment to the Community
The CVE Library doesn’t stand alone. Since September of 2025, Liquibase has released a steady stream of enhancements and fixes for the Liquibase Community. Recently, in May of 2026, Liquibase standardized on two clear paths to updates: quarterly Community releases and continuous nightly builds on GitHub (available at github.com/liquibase/liquibase/releases/tag/nightly). The CVE Library now makes that ongoing work readily visible so users don’t have to just trust that issues are being addressed, they can see it, release by release.
For teams that need enterprise assurance
The Liquibase CVE Library gives Community users clear visibility into known vulnerability exposure. For organizations running Liquibase in regulated, mission-critical, AI-enabled, or enterprise production environments, visibility is often the first step. Liquibase Secure provides a fully supported enterprise distribution with SLA-backed support, tested components, policy checks, drift detection, structured audit logs, and governance controls for teams that need to reduce risk while maintaining delivery velocity.
Take a look and get involved
The Liquibase Community thrives because people around the world step up to contribute. Here’s how to get in touch and take part:
Related
This entry was posted on June 12, 2026 at 8:06 am and is filed under Commentary with tags Liquibase. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Liquibase Launches Free CVE Library for Community Users, Safer Db Governance for AI Era
Today, Liquibase is proud to release the open source Liquibase CVE Library (Common Vulnerabilities and Exposures Library) to foster security and transparency across the Liquibase Community. The free, publicly available library helps users of older versions of Liquibase Community identify existing vulnerabilities and get a clearer sense of their security posture. By tying vulnerability data directly to Liquibase releases, the CVE Library helps teams see their risk exposure, compare versions, and take informed action to secure the software they run.
Attackers need only to find a single exploit to breach a network and IT infrastructure, making comprehensive CVE libraries increasingly invaluable to security teams seeking to stay ahead of Mythos-class threat capabilities by patching all known weaknesses before they can be targeted.
To date, the Liquibase Community project has been downloaded over 100 million times.
How does the Liquibase CVE Library work?
Every time Liquibase ships a new release, automated security scanning tools analyze both the Docker image and the Liquibase binary for known vulnerabilities. Scanning also runs against previously published images, maintaining an up-to-date view of the evolving threat landscape and catching anything that surfaces post-release. The site organizes everything by image and version. You can see a high-level security grade and CVE counts for the latest release, drill into any specific version for the full vulnerability list, or use the comparison tool to see exactly which CVEs were resolved, or introduced, between two releases.
Which environments are supported?
What you’ll see
For each vulnerability, the CVE Library shows:
The full list is filterable by severity, component type, and keyword search, and can be exported as CSV or PDF. (Please also see figures with press release link on Business Wire, linked above.)
Part of a broader commitment to the Community
The CVE Library doesn’t stand alone. Since September of 2025, Liquibase has released a steady stream of enhancements and fixes for the Liquibase Community. Recently, in May of 2026, Liquibase standardized on two clear paths to updates: quarterly Community releases and continuous nightly builds on GitHub (available at github.com/liquibase/liquibase/releases/tag/nightly). The CVE Library now makes that ongoing work readily visible so users don’t have to just trust that issues are being addressed, they can see it, release by release.
For teams that need enterprise assurance
The Liquibase CVE Library gives Community users clear visibility into known vulnerability exposure. For organizations running Liquibase in regulated, mission-critical, AI-enabled, or enterprise production environments, visibility is often the first step. Liquibase Secure provides a fully supported enterprise distribution with SLA-backed support, tested components, policy checks, drift detection, structured audit logs, and governance controls for teams that need to reduce risk while maintaining delivery velocity.
Take a look and get involved
The Liquibase Community thrives because people around the world step up to contribute. Here’s how to get in touch and take part:
Share this:
Like this:
Related
This entry was posted on June 12, 2026 at 8:06 am and is filed under Commentary with tags Liquibase. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.