GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
6,791 advisories
Filter by severity
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
High
CVE-2026-49485
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.dstu2
(Maven)
Jul 9, 2026
Micronaut: DefaultHttpClient follows redirects, forwarding Authorization, Cookie, and Proxy-Authorization headers
Moderate
GHSA-q6gh-6v2r-hjv3
was published
for
io.micronaut:micronaut-http-client
(Maven)
Jul 9, 2026
Micronaut doesn't set a maximum redirect count for its HTTP Client, enabling infinite loop DoS
High
GHSA-387m-935m-c4vw
was published
for
io.micronaut:micronaut-http-client
(Maven)
Jul 9, 2026
NL Portal: IDOR allows any authenticated user to complete and tamper with another user's taak
High
CVE-2026-49464
was published
for
nl.nl-portal:taak
(Maven)
Jul 8, 2026
NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries
Moderate
CVE-2026-49463
was published
for
nl.nl-portal:besluiten
(Maven)
Jul 8, 2026
DSpace: Path Traversal is possible through LDN message generation
Moderate
CVE-2026-49833
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
DSpace: ORE resource URI does not validate scheme for non-web resources
Moderate
CVE-2026-49830
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
DSpace has a possible Path Traversal Vulnerability in its Curation Task Reporter output path
Moderate
CVE-2026-49831
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
DSpace has possible Remote Code Execution (RCE) through Velocity Templates used by LDN
High
CVE-2026-49832
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
XWiki Platform Old Core: Resource path traversal via /skin/ action endpoint in Jetty 12+
High
CVE-2026-34151
was published
for
org.xwiki.platform:xwiki-platform-oldcore
(Maven)
Jul 7, 2026
OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export
High
GHSA-cgfv-jrfp-2r7v
was published
for
io.openremote:openremote-manager
(Maven)
Jul 6, 2026
OpenRemote has an incomplete fix for CVE-2026-40882: XXE in KNXProtocol.startAssetImport() allows arbitrary file read via unprotected XMLInputFactory
High
CVE-2026-54640
was published
for
io.openremote:openremote-agent
(Maven)
Jul 6, 2026
OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl
High
CVE-2026-54641
was published
for
io.openremote:openremote-manager
(Maven)
Jul 6, 2026
OpenRemote read-only asset users can write predicted datapoints
Moderate
CVE-2026-49439
was published
for
io.openremote:openremote-manager
(Maven)
Jul 6, 2026
LaunchServer FileServerHandler has an unauthenticated path traversal issue
Critical
CVE-2026-54617
was published
for
pro.gravit.launcher:launchserver-api
(Maven)
Jul 2, 2026
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
High
CVE-2026-2092
was published
for
org.keycloak:keycloak-services
(Maven)
Jul 2, 2026
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms
High
CVE-2026-53712
was published
for
com.ongres.scram:scram-client
(Maven)
Jul 1, 2026
Keycloak has privilege escalation via improper scope mapping enforcement
High
CVE-2026-9795
was published
for
org.keycloak:keycloak-services
(Maven)
Jul 1, 2026
land.oras:oras-java-sdk: Symlink-based path traversal in ArchiveUtils.untar / unzip allows arbitrary file write outside extraction directory
Low
GHSA-j6hm-v3x2-qv6j
was published
for
land.oras:oras-java-sdk
(Maven)
Jul 1, 2026
CrateDB's Blob HTTP handler bypasses authorization
Low
CVE-2026-49989
was published
for
io.crate:crate
(Maven)
Jul 1, 2026
GeoNetwork has ACL bypass on Elasticsearch search when request body omits query field
High
CVE-2026-46487
was published
for
org.geonetwork-opensource:geonetwork
(Maven)
Jul 1, 2026
GeoNetwork has reflected XSS through client-side template injection
High
CVE-2026-39379
was published
for
org.geonetwork-opensource:geonetwork
(Maven)
Jul 1, 2026
Sigstore Java has a vulnerability with bundle verification of integratedTime
Low
CVE-2026-48791
was published
for
dev.sigstore:sigstore-java
(Maven)
Jun 30, 2026
OpenAM OAuth Authorization Bypass via PKCE Challenge
Moderate
CVE-2026-48717
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 29, 2026
OpenAM OAuth Client Impersonation via JWKS Resolver Cache
High
CVE-2026-47426
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 29, 2026
ProTip!
Advisories are also available from the
GraphQL API