Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,798 advisories

Loading
Apollo ConfigService access key authentication bypass via raw config file appId parsing High
CVE-2026-59955 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
zhou-youyou Credited to zhou-youyou and Jarvis-Huanglz Jarvis-Huanglz Jarvis-Huanglz
Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching High
CVE-2026-59954 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
zhou-youyou Credited to zhou-youyou and Jarvis-Huanglz Jarvis-Huanglz Jarvis-Huanglz
Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center Moderate
CVE-2025-32781 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
lesignals Credited to lesignals
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint High
CVE-2026-49485 was published for ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 (Maven) Jul 9, 2026
Micronaut: DefaultHttpClient follows redirects, forwarding Authorization, Cookie, and Proxy-Authorization headers Moderate
GHSA-q6gh-6v2r-hjv3 was published for io.micronaut:micronaut-http-client (Maven) Jul 9, 2026
sdelamo Credited to sdelamo
Micronaut doesn't set a maximum redirect count for its HTTP Client, enabling infinite loop DoS High
GHSA-387m-935m-c4vw was published for io.micronaut:micronaut-http-client (Maven) Jul 9, 2026
sdelamo Credited to sdelamo
NL Portal: IDOR allows any authenticated user to complete and tamper with another user's taak High
CVE-2026-49464 was published for nl.nl-portal:taak (Maven) Jul 8, 2026
NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries Moderate
CVE-2026-49463 was published for nl.nl-portal:besluiten (Maven) Jul 8, 2026
DSpace: Path Traversal is possible through LDN message generation Moderate
CVE-2026-49833 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
DSpace: ORE resource URI does not validate scheme for non-web resources Moderate
CVE-2026-49830 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
DSpace has a possible Path Traversal Vulnerability in its Curation Task Reporter output path Moderate
CVE-2026-49831 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
DSpace has possible Remote Code Execution (RCE) through Velocity Templates used by LDN High
CVE-2026-49832 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
XWiki Platform Old Core: Resource path traversal via /skin/ action endpoint in Jetty 12+ High
CVE-2026-34151 was published for org.xwiki.platform:xwiki-platform-oldcore (Maven) Jul 7, 2026
khoaln98 Credited to khoaln98
OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export High
GHSA-cgfv-jrfp-2r7v was published for io.openremote:openremote-manager (Maven) Jul 6, 2026
aramosf Credited to aramosf
dyingman1 Credited to dyingman1
OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl High
CVE-2026-54641 was published for io.openremote:openremote-manager (Maven) Jul 6, 2026
geo-chen Credited to geo-chen
OpenRemote read-only asset users can write predicted datapoints Moderate
CVE-2026-49439 was published for io.openremote:openremote-manager (Maven) Jul 6, 2026
Hussien-Alzaghateet Credited to Hussien-Alzaghateet
LaunchServer FileServerHandler has an unauthenticated path traversal issue Critical
CVE-2026-54617 was published for pro.gravit.launcher:launchserver-api (Maven) Jul 2, 2026
getclaude Credited to getclaude
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions High
CVE-2026-2092 was published for org.keycloak:keycloak-services (Maven) Jul 2, 2026
1seal Credited to 1seal
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms High
CVE-2026-53712 was published for com.ongres.scram:scram-client (Maven) Jul 1, 2026
KEIJOT Credited to KEIJOT and jorsol jorsol jorsol
Keycloak has privilege escalation via improper scope mapping enforcement High
CVE-2026-9795 was published for org.keycloak:keycloak-services (Maven) Jul 1, 2026
tonghuaroot Credited to tonghuaroot and jonesbusy jonesbusy jonesbusy
CrateDB's Blob HTTP handler bypasses authorization Low
CVE-2026-49989 was published for io.crate:crate (Maven) Jul 1, 2026
fab1ano Credited to fab1ano and matriv matriv matriv
GeoNetwork has ACL bypass on Elasticsearch search when request body omits query field High
CVE-2026-46487 was published for org.geonetwork-opensource:geonetwork (Maven) Jul 1, 2026
jrdnull Credited to jrdnull and juanluisrp juanluisrp juanluisrp
GeoNetwork has reflected XSS through client-side template injection High
CVE-2026-39379 was published for org.geonetwork-opensource:geonetwork (Maven) Jul 1, 2026
Timonheu Credited to Timonheu, juanluisrp, and jodygarnett juanluisrp juanluisrp
jodygarnett jodygarnett
ProTip! Advisories are also available from the GraphQL API