Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

907 advisories

Loading
LaunchServer FileServerHandler has an unauthenticated path traversal issue Critical
CVE-2026-54617 was published for pro.gravit.launcher:launchserver-api (Maven) Jul 2, 2026
getclaude Credited to getclaude
OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints Critical
CVE-2026-45052 was published for org.openidentityplatform.openam:openam-federation-library (Maven) Jun 24, 2026
wodzen Credited to wodzen
OpenAM: Pre-auth RCE via Java Deserialization in WebAuthn Authenticator Storage Critical
CVE-2026-45051 was published for org.openidentityplatform.openam:openam-auth-webauthn (Maven) Jun 24, 2026
wodzen Credited to wodzen
OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI Critical
CVE-2026-46495 was published for org.openidentityplatform.opendj:opendj-server-legacy (Maven) Jun 22, 2026
wodzen Credited to wodzen
OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl) Critical
CVE-2026-44203 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 22, 2026
gujjuboy10x00 Credited to gujjuboy10x00 and wodzen wodzen wodzen
xwiki-pro-macros has remote code execution from page title and content via excerpt-include macro Critical
CVE-2026-44179 was published for com.xwiki.pro:xwiki-pro-macros (Maven) Jun 22, 2026
michitux Credited to michitux
OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete) Critical
CVE-2026-57168 was published for io.openremote:openremote-manager (Maven) Jun 19, 2026
Forklit Credited to Forklit and vladkoniakhinmob vladkoniakhinmob vladkoniakhinmob
HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory Critical
CVE-2026-55471 was published for ca.uhn.hapi.fhir:org.hl7.fhir.utilities (Maven) Jun 17, 2026
Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure Critical
CVE-2026-32966 was published for org.apache.dolphinscheduler:dolphinscheduler-api (Maven) Jun 17, 2026
Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks Critical
CVE-2026-32967 was published for org.apache.dolphinscheduler:dolphinscheduler-api (Maven) Jun 17, 2026
Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection Critical
CVE-2026-46621 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
superpegaso2703 Credited to superpegaso2703
Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override Critical
CVE-2026-46562 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
2BCEB1 Credited to 2BCEB1
Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory` Critical
CVE-2026-44632 was published for org.yamcs:yamcs-core (Maven) May 27, 2026
superpegaso2703 Credited to superpegaso2703
XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName} Critical
CVE-2026-33137 was published for org.xwiki.platform:xwiki-platform-rest-server (Maven) May 26, 2026
odgrso Credited to odgrso
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash Critical
CVE-2026-23734 was published for org.xwiki.commons:xwiki-commons-classloader-api (Maven) May 26, 2026
majkelstick Credited to majkelstick
Apache CXF has an LDAP injection vulnerability Critical
CVE-2026-44930 was published for org.apache.cxf.services.xkms:cxf-services-xkms-x509-repo-ldap (Maven) May 26, 2026
GlassFish's Administration Console is Vulnerable to RCE Critical
CVE-2026-2586 was published for org.glassfish.jsftemplating:jsftemplating (Maven) May 19, 2026
GlassFish's gadget handler is vulnerable to RCE Critical
CVE-2026-2587 was published for org.glassfish.jsftemplating:jsftemplating (Maven) May 19, 2026
Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering Critical
CVE-2026-47323 was published for org.apache.camel:camel-cxf-rest (Maven) May 19, 2026
Amazon Redshift Vulnerable to Remote Code Execution via Unsafe Class Loading Critical
CVE-2026-8178 was published for com.amazon.redshift:redshift-jdbc42 (Maven) May 14, 2026
Fushuling Credited to Fushuling
Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy Critical
CVE-2026-45083 was published for io.goobi.viewer:viewer-core (Maven) May 13, 2026
Mapfish Print: Remote Code Injection (RCE) in Dynamic table Critical
CVE-2026-44672 was published for org.mapfish.print:print-lib (Maven) May 13, 2026
Security feature bypass vulnerability in Azure Key Vault Keys library for Java Critical
CVE-2026-33117 was published for com.azure:azure-security-keyvault-keys (Maven) May 12, 2026
scottaddie Credited to scottaddie
Apache Tomcat - HTTP/2 request headers not validated Critical
CVE-2026-41293 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
Apache Tomcat - Digest authenticator will authenticate any unknown user Critical
CVE-2026-43512 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
ProTip! Advisories are also available from the GraphQL API