Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

3,264 advisories

Loading
Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center Moderate
CVE-2025-32781 was published for com.ctrip.framework.apollo:apollo (Maven) Jul 13, 2026
lesignals Credited to lesignals
Micronaut: DefaultHttpClient follows redirects, forwarding Authorization, Cookie, and Proxy-Authorization headers Moderate
GHSA-q6gh-6v2r-hjv3 was published for io.micronaut:micronaut-http-client (Maven) Jul 9, 2026
sdelamo Credited to sdelamo
NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries Moderate
CVE-2026-49463 was published for nl.nl-portal:besluiten (Maven) Jul 8, 2026
DSpace: Path Traversal is possible through LDN message generation Moderate
CVE-2026-49833 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
DSpace: ORE resource URI does not validate scheme for non-web resources Moderate
CVE-2026-49830 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
DSpace has a possible Path Traversal Vulnerability in its Curation Task Reporter output path Moderate
CVE-2026-49831 was published for org.dspace:dspace-api (Maven) Jul 8, 2026
superpegaso2703 Credited to superpegaso2703 and kshepherd kshepherd kshepherd
OpenRemote read-only asset users can write predicted datapoints Moderate
CVE-2026-49439 was published for io.openremote:openremote-manager (Maven) Jul 6, 2026
Hussien-Alzaghateet Credited to Hussien-Alzaghateet
OpenAM OAuth Authorization Bypass via PKCE Challenge Moderate
CVE-2026-48717 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 29, 2026
wodzen Credited to wodzen
nextflow auth login command has incorrect default permissions Moderate
CVE-2026-48722 was published for io.nextflow:nextflow (Maven) Jun 25, 2026
OHttpVersionChunkDraft: Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation Moderate
CVE-2026-48480 was published for io.netty.incubator:netty-incubator-codec-ohttp (Maven) Jun 23, 2026
jackson-databind has @JsonView bypass for setterless creator properties Moderate
CVE-2026-54517 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields Moderate
CVE-2026-54516 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties Moderate
CVE-2026-54515 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar, pjfanning, snieguu, and ataillefer pjfanning pjfanning
snieguu snieguu ataillefer ataillefer
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF) Moderate
CVE-2026-54514 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString() Moderate
CVE-2026-50193 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
deniz-husaj Credited to deniz-husaj and cowtowncoder cowtowncoder cowtowncoder
jackson-databind has a @JsonView bypass for unwrapped creator parameters Moderate
CVE-2026-54518 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
OpenAM Authenticated Server-Side Request Forgery (SSRF) via `/sessionservice` Moderate
CVE-2026-44202 was published for org.openidentityplatform.openam:openam-core (Maven) Jun 22, 2026
http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact` Moderate
GHSA-jrpc-7vxp-69p6 was published for org.http4k:http4k-core (Maven) Jun 19, 2026
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering Moderate
CVE-2026-55847 was published for io.qameta.allure:allure-generator (Maven) Jun 19, 2026
offset Credited to offset and baev baev baev
Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read Moderate
CVE-2026-55846 was published for io.qameta.allure:allure-commandline (Maven) Jun 19, 2026
offset Credited to offset and baev baev baev
Armeria: External Control of File Name or Path in xDS SDS DataSource Moderate
CVE-2026-11752 was published for com.linecorp.armeria:armeria-xds (Maven) Jun 18, 2026
zzoru Credited to zzoru
NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463) Moderate
CVE-2026-54683 was published for nl.nl-portal:documenten-api (Maven) Jun 18, 2026
ProTip! Advisories are also available from the GraphQL API