GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
3,264 advisories
Filter by severity
Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center
Moderate
CVE-2025-32781
was published
for
com.ctrip.framework.apollo:apollo
(Maven)
Jul 13, 2026
Micronaut: DefaultHttpClient follows redirects, forwarding Authorization, Cookie, and Proxy-Authorization headers
Moderate
GHSA-q6gh-6v2r-hjv3
was published
for
io.micronaut:micronaut-http-client
(Maven)
Jul 9, 2026
NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries
Moderate
CVE-2026-49463
was published
for
nl.nl-portal:besluiten
(Maven)
Jul 8, 2026
DSpace: Path Traversal is possible through LDN message generation
Moderate
CVE-2026-49833
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
DSpace: ORE resource URI does not validate scheme for non-web resources
Moderate
CVE-2026-49830
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
DSpace has a possible Path Traversal Vulnerability in its Curation Task Reporter output path
Moderate
CVE-2026-49831
was published
for
org.dspace:dspace-api
(Maven)
Jul 8, 2026
OpenRemote read-only asset users can write predicted datapoints
Moderate
CVE-2026-49439
was published
for
io.openremote:openremote-manager
(Maven)
Jul 6, 2026
OpenAM OAuth Authorization Bypass via PKCE Challenge
Moderate
CVE-2026-48717
was published
for
org.openidentityplatform.openam:openam-oauth2
(Maven)
Jun 29, 2026
nextflow auth login command has incorrect default permissions
Moderate
CVE-2026-48722
was published
for
io.nextflow:nextflow
(Maven)
Jun 25, 2026
OHttpVersionChunkDraft: Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation
Moderate
CVE-2026-48480
was published
for
io.netty.incubator:netty-incubator-codec-ohttp
(Maven)
Jun 23, 2026
jackson-databind has @JsonView bypass for setterless creator properties
Moderate
CVE-2026-54517
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
Moderate
CVE-2026-54516
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
Moderate
CVE-2026-54515
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
Moderate
CVE-2026-54514
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()
Moderate
CVE-2026-50193
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has a @JsonView bypass for unwrapped creator parameters
Moderate
CVE-2026-54518
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
OpenAM Authenticated Server-Side Request Forgery (SSRF) via `/sessionservice`
Moderate
CVE-2026-44202
was published
for
org.openidentityplatform.openam:openam-core
(Maven)
Jun 22, 2026
http4k: `ServerFilters.DigestAuth` / `DigestAuthProvider` defaulted to an always-true nonce verifier, disabling replay protection in default deployments
Moderate
GHSA-c7jm-38gq-h67h
was published
for
org.http4k:http4k-security-digest
(Maven)
Jun 19, 2026
http4k: BasicCookieStorage` (renamed `InsecureCookieStorage`) did not enforce RFC 6265 cookie scoping; new `DefaultCookieStorage` is now the default
Moderate
GHSA-pr33-38xx-6r26
was published
for
org.http4k:http4k-core
(Maven)
Jun 19, 2026
http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact`
Moderate
GHSA-jrpc-7vxp-69p6
was published
for
org.http4k:http4k-core
(Maven)
Jun 19, 2026
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering
Moderate
CVE-2026-55847
was published
for
io.qameta.allure:allure-generator
(Maven)
Jun 19, 2026
Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read
Moderate
CVE-2026-55846
was published
for
io.qameta.allure:allure-commandline
(Maven)
Jun 19, 2026
NL Portal Backend Libraries: Unauthenticated form resolver forwards the privileged Objecten-API token to a caller-supplied URL (SSRF)
Moderate
CVE-2026-55414
was published
for
nl.nl-portal:form
(Maven)
Jun 19, 2026
Armeria: External Control of File Name or Path in xDS SDS DataSource
Moderate
CVE-2026-11752
was published
for
com.linecorp.armeria:armeria-xds
(Maven)
Jun 18, 2026
NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463)
Moderate
CVE-2026-54683
was published
for
nl.nl-portal:documenten-api
(Maven)
Jun 18, 2026
ProTip!
Advisories are also available from the
GraphQL API