GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,213
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
6,757 advisories
Filter by severity
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms
High
CVE-2026-53712
was published
for
com.ongres.scram:scram-client
(Maven)
Jul 1, 2026
Keycloak has privilege escalation via improper scope mapping enforcement
High
CVE-2026-9795
was published
for
org.keycloak:keycloak-services
(Maven)
Jul 1, 2026
land.oras:oras-java-sdk: Symlink-based path traversal in ArchiveUtils.untar / unzip allows arbitrary file write outside extraction directory
Low
GHSA-j6hm-v3x2-qv6j
was published
for
land.oras:oras-java-sdk
(Maven)
Jul 1, 2026
CrateDB's Blob HTTP handler bypasses authorization
Low
CVE-2026-49989
was published
for
io.crate:crate
(Maven)
Jul 1, 2026
GeoNetwork has ACL bypass on Elasticsearch search when request body omits query field
High
CVE-2026-46487
was published
for
org.geonetwork-opensource:geonetwork
(Maven)
Jul 1, 2026
GeoNetwork has reflected XSS through client-side template injection
High
CVE-2026-39379
was published
for
org.geonetwork-opensource:geonetwork
(Maven)
Jul 1, 2026
Sigstore Java has a vulnerability with bundle verification of integratedTime
Low
CVE-2026-48791
was published
for
dev.sigstore:sigstore-java
(Maven)
Jun 30, 2026
OpenAM OAuth Authorization Bypass via PKCE Challenge
Moderate
CVE-2026-48717
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 29, 2026
OpenAM OAuth Client Impersonation via JWKS Resolver Cache
High
CVE-2026-47426
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 29, 2026
OpenAM Authenticated RCE via Groovy Sandbox Escape
High
CVE-2026-47424
was published
for
org.openidentityplatform.openam:openam-scripting
(Maven)
Jun 29, 2026
OpenAM Account Takeover via Unverified Password Change in OAuth2 Module
High
CVE-2026-46623
was published
for
org.openidentityplatform.openam:openam-auth-oauth2
(Maven)
Jun 26, 2026
OpenAM Authentication Bypass via MSISDN LDAP Injection
High
CVE-2026-46619
was published
for
org.openidentityplatform.openam:openam-auth-msisdn
(Maven)
Jun 26, 2026
nextflow auth login command has incorrect default permissions
Moderate
CVE-2026-48722
was published
for
io.nextflow:nextflow
(Maven)
Jun 25, 2026
OpenAM: Unauthenticated Authentication Bypass via RADIUS Spoofing
High
CVE-2026-46560
was published
for
org.openidentityplatform.openam:openam-radius
(Maven)
Jun 25, 2026
OpenAM Arbitrary OAuth Token Minting via Push Registration
High
CVE-2026-46498
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 25, 2026
OpenAM has Unsafe Java Deserialization via SNS
High
CVE-2026-45794
was published
for
org.openidentityplatform.openam:openam-push-notification
(Maven)
Jun 25, 2026
OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints
Critical
CVE-2026-45052
was published
for
org.openidentityplatform.openam:openam-federation-library
(Maven)
Jun 24, 2026
OpenAM: Pre-auth RCE via Java Deserialization in WebAuthn Authenticator Storage
Critical
CVE-2026-45051
was published
for
org.openidentityplatform.openam:openam-auth-webauthn
(Maven)
Jun 24, 2026
OHttpVersionChunkDraft: Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation
Moderate
CVE-2026-48480
was published
for
io.netty.incubator:netty-incubator-codec-ohttp
(Maven)
Jun 23, 2026
jackson-databind has @JsonView bypass for setterless creator properties
Moderate
CVE-2026-54517
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
Moderate
CVE-2026-54516
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
Moderate
CVE-2026-54515
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
Moderate
CVE-2026-54514
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
High
CVE-2026-54513
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
High
CVE-2026-54512
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
ProTip!
Advisories are also available from the
GraphQL API