Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,798 advisories

Loading
OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget` Low
CVE-2026-44793 was published for org.openidentityplatform.openam:openam-federation-library (Maven) Jun 22, 2026
gujjuboy10x00 Credited to gujjuboy10x00
OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl) Critical
CVE-2026-44203 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 22, 2026
gujjuboy10x00 Credited to gujjuboy10x00 and wodzen wodzen wodzen
OpenAM Authenticated Server-Side Request Forgery (SSRF) via `/sessionservice` Moderate
CVE-2026-44202 was published for org.openidentityplatform.openam:openam-core (Maven) Jun 22, 2026
xwiki-pro-macros has remote code execution from page title and content via excerpt-include macro Critical
CVE-2026-44179 was published for com.xwiki.pro:xwiki-pro-macros (Maven) Jun 22, 2026
michitux Credited to michitux
OpenAM has LDAP Injection via `_queryId` Parameter High
CVE-2026-41573 was published for org.openidentityplatform.openam:openam-core-rest (Maven) Jun 22, 2026
nn0nkey Credited to nn0nkey
OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete) Critical
CVE-2026-57168 was published for io.openremote:openremote-manager (Maven) Jun 19, 2026
Forklit Credited to Forklit and vladkoniakhinmob vladkoniakhinmob vladkoniakhinmob
http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact` Moderate
GHSA-jrpc-7vxp-69p6 was published for org.http4k:http4k-core (Maven) Jun 19, 2026
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering Moderate
CVE-2026-55847 was published for io.qameta.allure:allure-generator (Maven) Jun 19, 2026
offset Credited to offset and baev baev baev
Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read Moderate
CVE-2026-55846 was published for io.qameta.allure:allure-commandline (Maven) Jun 19, 2026
offset Credited to offset and baev baev baev
CedarJava has policy injection vulnerability High
CVE-2026-55773 was published for com.cedarpolicy:cedar-java (Maven) Jun 19, 2026
CedarJava has type confusion vulnerability High
CVE-2026-55772 was published for com.cedarpolicy:cedar-java (Maven) Jun 19, 2026
Armeria: External Control of File Name or Path in xDS SDS DataSource Moderate
CVE-2026-11752 was published for com.linecorp.armeria:armeria-xds (Maven) Jun 18, 2026
zzoru Credited to zzoru
NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463) Moderate
CVE-2026-54683 was published for nl.nl-portal:documenten-api (Maven) Jun 18, 2026
JLine3 Telnet server: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables High
GHSA-47qp-hqvx-6r3f was published for org.jline:jline-remote-telnet (Maven) Jun 18, 2026
sectroyer Credited to sectroyer
JLine3 Telnet server: Unauthenticated Remote DoS via Unbounded Telnet NAWS Terminal Geometry High
GHSA-2r2c-cx56-8933 was published for org.jline:jline-remote-telnet (Maven) Jun 18, 2026
sectroyer Credited to sectroyer
Karate Mock Server RCE via embedded expression evaluation of request-derived data High
GHSA-2c85-rfcc-g74j was published for io.karatelabs:karate-core (Maven) Jun 18, 2026
baozongwi Credited to baozongwi
Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator Moderate
CVE-2026-55226 was published for io.strimzi:strimzi (Maven) Jun 18, 2026
katheris Credited to katheris, ppatierno, and scholzj ppatierno ppatierno
scholzj scholzj
Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator` High
CVE-2026-55225 was published for io.strimzi:strimzi (Maven) Jun 18, 2026
cherez0ff Credited to cherez0ff, ppatierno, scholzj, and katheris ppatierno ppatierno
scholzj scholzj katheris katheris
HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory Critical
CVE-2026-55471 was published for ca.uhn.hapi.fhir:org.hl7.fhir.utilities (Maven) Jun 17, 2026
HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS High
CVE-2026-55470 was published for ca.uhn.hapi.fhir:org.hl7.fhir.convertors (Maven) Jun 17, 2026
dyingman1 Credited to dyingman1
handlebars.java FileTemplateLoader Path Traversal High
CVE-2026-55760 was published for com.github.jknack:handlebars (Maven) Jun 17, 2026
dyingman1 Credited to dyingman1
ProTip! Advisories are also available from the GraphQL API