GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,223 advisories
Filter by severity
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
High
CVE-2026-49485
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.dstu2
(Maven)
Jul 9, 2026
Micronaut doesn't set a maximum redirect count for its HTTP Client, enabling infinite loop DoS
High
GHSA-387m-935m-c4vw
was published
for
io.micronaut:micronaut-http-client
(Maven)
Jul 9, 2026
NL Portal: IDOR allows any authenticated user to complete and tamper with another user's taak
High
CVE-2026-49464
was published
for
nl.nl-portal:taak
(Maven)
Jul 8, 2026
DSpace has possible Remote Code Execution (RCE) through Velocity Templates used by LDN
High
CVE-2026-49832
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
XWiki Platform Old Core: Resource path traversal via /skin/ action endpoint in Jetty 12+
High
CVE-2026-34151
was published
for
org.xwiki.platform:xwiki-platform-oldcore
(Maven)
Jul 7, 2026
OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export
High
GHSA-cgfv-jrfp-2r7v
was published
for
io.openremote:openremote-manager
(Maven)
Jul 6, 2026
OpenRemote has an incomplete fix for CVE-2026-40882: XXE in KNXProtocol.startAssetImport() allows arbitrary file read via unprotected XMLInputFactory
High
CVE-2026-54640
was published
for
io.openremote:openremote-agent
(Maven)
Jul 6, 2026
OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl
High
CVE-2026-54641
was published
for
io.openremote:openremote-manager
(Maven)
Jul 6, 2026
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
High
CVE-2026-2092
was published
for
org.keycloak:keycloak-services
(Maven)
Jul 2, 2026
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms
High
CVE-2026-53712
was published
for
com.ongres.scram:scram-client
(Maven)
Jul 1, 2026
Keycloak has privilege escalation via improper scope mapping enforcement
High
CVE-2026-9795
was published
for
org.keycloak:keycloak-services
(Maven)
Jul 1, 2026
GeoNetwork has ACL bypass on Elasticsearch search when request body omits query field
High
CVE-2026-46487
was published
for
org.geonetwork-opensource:geonetwork
(Maven)
Jul 1, 2026
GeoNetwork has reflected XSS through client-side template injection
High
CVE-2026-39379
was published
for
org.geonetwork-opensource:geonetwork
(Maven)
Jul 1, 2026
OpenAM OAuth Client Impersonation via JWKS Resolver Cache
High
CVE-2026-47426
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 29, 2026
OpenAM Authenticated RCE via Groovy Sandbox Escape
High
CVE-2026-47424
was published
for
org.openidentityplatform.openam:openam-scripting
(Maven)
Jun 29, 2026
OpenAM Account Takeover via Unverified Password Change in OAuth2 Module
High
CVE-2026-46623
was published
for
org.openidentityplatform.openam:openam-auth-oauth2
(Maven)
Jun 26, 2026
OpenAM Authentication Bypass via MSISDN LDAP Injection
High
CVE-2026-46619
was published
for
org.openidentityplatform.openam:openam-auth-msisdn
(Maven)
Jun 26, 2026
OpenAM: Unauthenticated Authentication Bypass via RADIUS Spoofing
High
CVE-2026-46560
was published
for
org.openidentityplatform.openam:openam-radius
(Maven)
Jun 25, 2026
OpenAM Arbitrary OAuth Token Minting via Push Registration
High
CVE-2026-46498
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 25, 2026
OpenAM has Unsafe Java Deserialization via SNS
High
CVE-2026-45794
was published
for
org.openidentityplatform.openam:openam-push-notification
(Maven)
Jun 25, 2026
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
High
CVE-2026-54513
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
High
CVE-2026-54512
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
OpenAM Unauthenticated Session Hijacking via Information Exposure in CDCServlet
High
CVE-2026-45049
was published
for
org.openidentityplatform.openam:openam-federation
(Maven)
Jun 23, 2026
OpenAM Authenticated Privilege Escalation via Raw Token Disclosure Session RPC
High
CVE-2026-45048
was published
for
org.openidentityplatform.openam:openam-core
(Maven)
Jun 23, 2026
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types
High
CVE-2026-44795
was published
for
io.spinnaker.orca:orca-core
(Maven)
Jun 22, 2026
ProTip!
Advisories are also available from the
GraphQL API