Today, Liquibase is proud to release the open source Liquibase CVE Library (Common Vulnerabilities and Exposures Library) to foster security and transparency across the Liquibase Community. The free, publicly available library helps users of older versions of Liquibase Community identify existing vulnerabilities and get a clearer sense of their security posture. By tying vulnerability data directly to Liquibase releases, the CVE Library helps teams see their risk exposure, compare versions, and take informed action to secure the software they run.
This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260611211971/en/
Figure 1: With a quick view of Liquibase Community vulnerabilities and affected packages, the CVE Library helps users understand their potential risk and exposure.
Attackers need only to find a single exploit to breach a network and IT infrastructure, making comprehensive CVE libraries increasingly invaluable to security teams seeking to stay ahead of Mythos-class threat capabilities by patching all known weaknesses before they can be targeted.
To date, the Liquibase Community project has been downloaded over 100 million times.
How does the Liquibase CVE Library work?
Every time Liquibase ships a new release, automated security scanning tools analyze both the Docker image and the Liquibase binary for known vulnerabilities. Scanning also runs against previously published images, maintaining an up-to-date view of the evolving threat landscape and catching anything that surfaces post-release. The site organizes everything by image and version. You can see a high-level security grade and CVE counts for the latest release, drill into any specific version for the full vulnerability list, or use the comparison tool to see exactly which CVEs were resolved, or introduced, between two releases.
Which environments are supported?
The CVE Library currently covers two areas:
- Docker images: The official Liquibase Community Docker image.
- Liquibase binary: Vulnerabilities in the Liquibase JARs themselves, regardless of how you install it.
What you’ll see
For each vulnerability, the CVE Library shows:
- CVE ID, Severity, and CVSS score: Presented with clear information and links to learn more.
- Affected package: The specific details needed to understand what is vulnerable.
- Fix available: The package version that resolves it, if one exists; and where applicable, the first Liquibase image version where the CVE no longer appears.
- Component type: Additional vulnerability details to help understand the risk.
- First-party vs. third-party: Whether the vulnerability is in Liquibase’s own code or an upstream dependency.
The full list is filterable by severity, component type, and keyword search, and can be exported as CSV or PDF. (See figures.)
Part of a broader commitment to the Community
The CVE Library doesn’t stand alone. Since September of 2025, Liquibase has released a steady stream of enhancements and fixes for the Liquibase Community. Recently, in May of 2026, Liquibase standardized on two clear paths to updates: quarterly Community releases and continuous nightly builds on GitHub (available at github.com/liquibase/liquibase/releases/tag/nightly). The CVE Library now makes that ongoing work readily visible so users don’t have to just trust that issues are being addressed, they can see it, release by release.
For teams that need enterprise assurance
The Liquibase CVE Library gives Community users clear visibility into known vulnerability exposure. For organizations running Liquibase in regulated, mission-critical, AI-enabled, or enterprise production environments, visibility is often the first step. Liquibase Secure provides a fully supported enterprise distribution with SLA-backed support, tested components, policy checks, drift detection, structured audit logs, and governance controls for teams that need to reduce risk while maintaining delivery velocity.
Take a look and get involved
The Liquibase Community thrives because people around the world step up to contribute. Here’s how to get in touch and take part:
- Explore the CVE Library today at https://cve-library.liquibase.com.
- Ask questions or start a discussion on the Liquibase Forum.
- Report a bug or request a feature in the GitHub issue tracker at github.com/liquibase/liquibase.
About Liquibase
Liquibase empowers teams to deliver mission-critical applications, data products, and AI initiatives by automating and governing database change. We are the company behind Liquibase Community, a project with deep open-source roots that has been downloaded more than 100 million times and is trusted by thousands of teams worldwide.
Liquibase Secure, built on that proven community foundation, is the only enterprise platform that unifies DevOps, security, and compliance at the database layer. It enables organizations to deliver applications and data products with velocity, safety, and confidence. Trusted by the world’s most innovative and highly regulated enterprises, Liquibase Secure powers the last mile of application and data delivery.
Learn more at www.liquibase.com. Follow us on LinkedIn and X.
View source version on businesswire.com: https://www.businesswire.com/news/home/20260611211971/en/
Media gallery
