Liquibase has launched a free CVE Library for users of Liquibase Community. The public resource covers known vulnerabilities across Liquibase releases, Docker images, binaries and dependencies.
The library is aimed in part at users running older versions of the open-source database change management software, giving them a way to identify vulnerabilities and assess exposure by release.
Liquibase Community has been downloaded more than 100 million times, and the CVE Library is being released as a public tool rather than a paid product. The project has open-source roots and is used by thousands of teams worldwide.
The library ties vulnerability data to specific Liquibase releases. Users can review CVE identifiers, severity ratings and CVSS scores, see which package is affected, and check whether a fix is available.
Where available, it also shows the first Liquibase image version in which a listed vulnerability no longer appears. Additional fields identify the component type and whether a vulnerability sits in Liquibase code itself or in an upstream dependency.
How it works
Automated security scanning tools analyse both the Docker image and the Liquibase binary whenever a new release ships. The process also runs against previously published images, meaning older releases can reflect newly surfaced vulnerabilities after their original publication.
The site is organised by image and version. Users can view a high-level security grade and CVE counts for the latest release, inspect a specific version in more detail, or compare two releases to see which CVEs were resolved or introduced between them.
At launch, coverage is limited to two areas: the official Liquibase Community Docker image and vulnerabilities in the Liquibase JARs themselves, regardless of installation method. The full vulnerability list can be filtered by severity, component type and keyword search, and exported as CSV or PDF.
Broader push
The release is part of a wider effort by Liquibase to make its community project more transparent around maintenance and security. It has been issuing enhancements and fixes for Liquibase Community since September 2025.
In May 2026, Liquibase standardised updates into two streams: quarterly Community releases and continuous nightly builds on GitHub. The CVE Library adds a release-by-release view that lets users track known issues across those versions.
The launch also comes alongside a separate update to Liquibase Secure, the commercial version of the software, which now includes Agent Safe Governance for AI-generated database change. While the CVE Library is aimed at Community users, Liquibase positioned the security visibility it provides as a first step for organisations operating in more tightly controlled environments.
Security visibility
Vulnerability disclosure libraries have become a more visible part of software operations as companies seek clearer inventories of known weaknesses in both first-party code and third-party components. Tools that map CVEs directly to shipped versions can help development and security teams decide whether to upgrade, patch or accept exposure.
For open-source users in particular, version-specific disclosure can be important when support arrangements differ from those in commercial products. Liquibase's approach appears designed to show users not just whether an issue exists, but whether it arises in the software's own code base or in dependencies further upstream.
The library is intended to make that work visible to users rather than asking them to assume issues are being addressed behind the scenes. That visibility may also help teams compare older and newer releases when deciding how to manage upgrades in production systems.
Liquibase describes its software as a way for teams to manage database change across application delivery and data projects. The new library adds a public security reference layer to the Community edition, with release-by-release tracking of known vulnerabilities across the software artifacts it currently supports.
To date, the Liquibase Community project has been downloaded more than 100 million times.