Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,757 advisories

Loading
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms High
CVE-2026-53712 was published for com.ongres.scram:scram-client (Maven) Jul 1, 2026
KEIJOT Credited to KEIJOT and jorsol jorsol jorsol
Keycloak has privilege escalation via improper scope mapping enforcement High
CVE-2026-9795 was published for org.keycloak:keycloak-services (Maven) Jul 1, 2026
tonghuaroot Credited to tonghuaroot and jonesbusy jonesbusy jonesbusy
CrateDB's Blob HTTP handler bypasses authorization Low
CVE-2026-49989 was published for io.crate:crate (Maven) Jul 1, 2026
fab1ano Credited to fab1ano and matriv matriv matriv
GeoNetwork has ACL bypass on Elasticsearch search when request body omits query field High
CVE-2026-46487 was published for org.geonetwork-opensource:geonetwork (Maven) Jul 1, 2026
jrdnull Credited to jrdnull and juanluisrp juanluisrp juanluisrp
GeoNetwork has reflected XSS through client-side template injection High
CVE-2026-39379 was published for org.geonetwork-opensource:geonetwork (Maven) Jul 1, 2026
Timonheu Credited to Timonheu and juanluisrp juanluisrp juanluisrp
Sigstore Java has a vulnerability with bundle verification of integratedTime Low
CVE-2026-48791 was published for dev.sigstore:sigstore-java (Maven) Jun 30, 2026
OpenAM OAuth Authorization Bypass via PKCE Challenge Moderate
CVE-2026-48717 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 29, 2026
wodzen Credited to wodzen
OpenAM OAuth Client Impersonation via JWKS Resolver Cache High
CVE-2026-47426 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 29, 2026
wodzen Credited to wodzen
OpenAM Authenticated RCE via Groovy Sandbox Escape High
CVE-2026-47424 was published for org.openidentityplatform.openam:openam-scripting (Maven) Jun 29, 2026
wodzen Credited to wodzen
OpenAM Account Takeover via Unverified Password Change in OAuth2 Module High
CVE-2026-46623 was published for org.openidentityplatform.openam:openam-auth-oauth2 (Maven) Jun 26, 2026
wodzen Credited to wodzen
OpenAM Authentication Bypass via MSISDN LDAP Injection High
CVE-2026-46619 was published for org.openidentityplatform.openam:openam-auth-msisdn (Maven) Jun 26, 2026
wodzen Credited to wodzen
nextflow auth login command has incorrect default permissions Moderate
CVE-2026-48722 was published for io.nextflow:nextflow (Maven) Jun 25, 2026
OpenAM: Unauthenticated Authentication Bypass via RADIUS Spoofing High
CVE-2026-46560 was published for org.openidentityplatform.openam:openam-radius (Maven) Jun 25, 2026
wodzen Credited to wodzen
OpenAM Arbitrary OAuth Token Minting via Push Registration High
CVE-2026-46498 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 25, 2026
wodzen Credited to wodzen
OpenAM has Unsafe Java Deserialization via SNS High
CVE-2026-45794 was published for org.openidentityplatform.openam:openam-push-notification (Maven) Jun 25, 2026
wodzen Credited to wodzen
OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints Critical
CVE-2026-45052 was published for org.openidentityplatform.openam:openam-federation-library (Maven) Jun 24, 2026
wodzen Credited to wodzen
OpenAM: Pre-auth RCE via Java Deserialization in WebAuthn Authenticator Storage Critical
CVE-2026-45051 was published for org.openidentityplatform.openam:openam-auth-webauthn (Maven) Jun 24, 2026
wodzen Credited to wodzen
OHttpVersionChunkDraft: Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation Moderate
CVE-2026-48480 was published for io.netty.incubator:netty-incubator-codec-ohttp (Maven) Jun 23, 2026
jackson-databind has @JsonView bypass for setterless creator properties Moderate
CVE-2026-54517 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields Moderate
CVE-2026-54516 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties Moderate
CVE-2026-54515 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar, pjfanning, snieguu, and ataillefer pjfanning pjfanning
snieguu snieguu ataillefer ataillefer
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF) Moderate
CVE-2026-54514 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) High
CVE-2026-54513 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
ProTip! Advisories are also available from the GraphQL API