Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,134
Maven
5,000+
npm
5,000+
NuGet
1,013
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,419
Swift
61
Unreviewed advisories
All unreviewed
5,000+

6,705 advisories

Loading
Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and Client-Level `notBefore` Revocation Policies are Configured Moderate
CVE-2026-8922 was published for org.keycloak:keycloak-services (Maven) May 19, 2026
Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation Moderate
CVE-2026-8830 was published for org.keycloak:keycloak-services (Maven) May 19, 2026
Keycloak: Insufficient verification proof scoping enables identity provider account linking attack and account compromise Moderate
CVE-2026-9087 was published for org.keycloak:keycloak-services (Maven) May 20, 2026
Keycloak has a Forced Browsing issue Moderate
CVE-2026-7500 was published for org.keycloak:keycloak-services (Maven) Apr 30, 2026
nextflow auth login command has incorrect default permissions Moderate
CVE-2026-48722 was published for io.nextflow:nextflow (Maven) Jun 25, 2026
OpenAM: Unauthenticated Authentication Bypass via RADIUS Spoofing High
CVE-2026-46560 was published for org.openidentityplatform.openam:openam-radius (Maven) Jun 25, 2026
wodzen Credited to wodzen
OpenAM Arbitrary OAuth Token Minting via Push Registration High
CVE-2026-46498 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 25, 2026
wodzen Credited to wodzen
OpenAM has Unsafe Java Deserialization via SNS High
CVE-2026-45794 was published for org.openidentityplatform.openam:openam-push-notification (Maven) Jun 25, 2026
wodzen Credited to wodzen
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints Critical
CVE-2026-45052 was published for org.openidentityplatform.openam:openam-federation-library (Maven) Jun 24, 2026
wodzen Credited to wodzen
OpenAM: Pre-auth RCE via Java Deserialization in WebAuthn Authenticator Storage Critical
CVE-2026-45051 was published for org.openidentityplatform.openam:openam-auth-webauthn (Maven) Jun 24, 2026
wodzen Credited to wodzen
OHttpVersionChunkDraft: Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation Moderate
CVE-2026-48480 was published for io.netty.incubator:netty-incubator-codec-ohttp (Maven) Jun 23, 2026
jackson-databind has @JsonView bypass for setterless creator properties Moderate
CVE-2026-54517 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields Moderate
CVE-2026-54516 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties Moderate
CVE-2026-54515 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF) Moderate
CVE-2026-54514 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) High
CVE-2026-54513 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString() Moderate
CVE-2026-50193 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
deniz-husaj Credited to deniz-husaj and cowtowncoder cowtowncoder cowtowncoder
jackson-databind has a @JsonView bypass for unwrapped creator parameters Moderate
CVE-2026-54518 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
OpenAM Unauthenticated Session Hijacking via Information Exposure in CDCServlet High
CVE-2026-45049 was published for org.openidentityplatform.openam:openam-federation (Maven) Jun 23, 2026
wodzen Credited to wodzen
OpenAM Authenticated Privilege Escalation via Raw Token Disclosure Session RPC High
CVE-2026-45048 was published for org.openidentityplatform.openam:openam-core (Maven) Jun 23, 2026
wodzen Credited to wodzen
OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI Critical
CVE-2026-46495 was published for org.openidentityplatform.opendj:opendj-server-legacy (Maven) Jun 22, 2026
wodzen Credited to wodzen
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types High
CVE-2026-44795 was published for io.spinnaker.orca:orca-core (Maven) Jun 22, 2026
OpenAM SAML2 Cluster Cookie-Hash-Redirect Path has Pre-authentication Reflected XSS via `FSUtils.postToTarget` Low
CVE-2026-44793 was published for org.openidentityplatform.openam:openam-federation-library (Maven) Jun 22, 2026
gujjuboy10x00 Credited to gujjuboy10x00
OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl) Critical
CVE-2026-44203 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 22, 2026
gujjuboy10x00 Credited to gujjuboy10x00 and wodzen wodzen wodzen
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database