GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
6,798 advisories
Filter by severity
OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget`
Low
CVE-2026-44793
was published
for
org.openidentityplatform.openam:openam-federation-library
(Maven)
Jun 22, 2026
OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl)
Critical
CVE-2026-44203
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 22, 2026
OpenAM Authenticated Server-Side Request Forgery (SSRF) via `/sessionservice`
Moderate
CVE-2026-44202
was published
for
org.openidentityplatform.openam:openam-core
(Maven)
Jun 22, 2026
xwiki-pro-macros has remote code execution from page title and content via excerpt-include macro
Critical
CVE-2026-44179
was published
for
com.xwiki.pro:xwiki-pro-macros
(Maven)
Jun 22, 2026
OpenAM has LDAP Injection via `_queryId` Parameter
High
CVE-2026-41573
was published
for
org.openidentityplatform.openam:openam-core-rest
(Maven)
Jun 22, 2026
OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)
Critical
CVE-2026-57168
was published
for
io.openremote:openremote-manager
(Maven)
Jun 19, 2026
http4k: `ServerFilters.DigestAuth` / `DigestAuthProvider` defaulted to an always-true nonce verifier, disabling replay protection in default deployments
Moderate
GHSA-c7jm-38gq-h67h
was published
for
org.http4k:http4k-security-digest
(Maven)
Jun 19, 2026
http4k: BasicCookieStorage` (renamed `InsecureCookieStorage`) did not enforce RFC 6265 cookie scoping; new `DefaultCookieStorage` is now the default
Moderate
GHSA-pr33-38xx-6r26
was published
for
org.http4k:http4k-core
(Maven)
Jun 19, 2026
http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac`
High
GHSA-m4w9-hjfw-vwj4
was published
for
org.http4k:http4k-core
(Maven)
Jun 19, 2026
http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact`
Moderate
GHSA-jrpc-7vxp-69p6
was published
for
org.http4k:http4k-core
(Maven)
Jun 19, 2026
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering
Moderate
CVE-2026-55847
was published
for
io.qameta.allure:allure-generator
(Maven)
Jun 19, 2026
Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read
Moderate
CVE-2026-55846
was published
for
io.qameta.allure:allure-commandline
(Maven)
Jun 19, 2026
CedarJava has policy injection vulnerability
High
CVE-2026-55773
was published
for
com.cedarpolicy:cedar-java
(Maven)
Jun 19, 2026
CedarJava has type confusion vulnerability
High
CVE-2026-55772
was published
for
com.cedarpolicy:cedar-java
(Maven)
Jun 19, 2026
NL Portal Backend Libraries: Unauthenticated form resolver forwards the privileged Objecten-API token to a caller-supplied URL (SSRF)
Moderate
CVE-2026-55414
was published
for
nl.nl-portal:form
(Maven)
Jun 19, 2026
Armeria: External Control of File Name or Path in xDS SDS DataSource
Moderate
CVE-2026-11752
was published
for
com.linecorp.armeria:armeria-xds
(Maven)
Jun 18, 2026
NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463)
Moderate
CVE-2026-54683
was published
for
nl.nl-portal:documenten-api
(Maven)
Jun 18, 2026
JLine3 Telnet server: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables
High
GHSA-47qp-hqvx-6r3f
was published
for
org.jline:jline-remote-telnet
(Maven)
Jun 18, 2026
JLine3 Telnet server: Unauthenticated Remote DoS via Unbounded Telnet NAWS Terminal Geometry
High
GHSA-2r2c-cx56-8933
was published
for
org.jline:jline-remote-telnet
(Maven)
Jun 18, 2026
Karate Mock Server RCE via embedded expression evaluation of request-derived data
High
GHSA-2c85-rfcc-g74j
was published
for
io.karatelabs:karate-core
(Maven)
Jun 18, 2026
Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator
Moderate
CVE-2026-55226
was published
for
io.strimzi:strimzi
(Maven)
Jun 18, 2026
Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`
High
CVE-2026-55225
was published
for
io.strimzi:strimzi
(Maven)
Jun 18, 2026
HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory
Critical
CVE-2026-55471
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.utilities
(Maven)
Jun 17, 2026
HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS
High
CVE-2026-55470
was published
for
ca.uhn.hapi.fhir:org.hl7.fhir.convertors
(Maven)
Jun 17, 2026
handlebars.java FileTemplateLoader Path Traversal
High
CVE-2026-55760
was published
for
com.github.jknack:handlebars
(Maven)
Jun 17, 2026
ProTip!
Advisories are also available from the
GraphQL API