Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,726 advisories

Loading
Sigstore Java has a vulnerability with bundle verification of integratedTime Low
CVE-2026-48791 was published for dev.sigstore:sigstore-java (Maven) Jun 30, 2026
OpenAM OAuth Authorization Bypass via PKCE Challenge Moderate
CVE-2026-48717 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 29, 2026
wodzen Credited to wodzen
OpenAM OAuth Client Impersonation via JWKS Resolver Cache High
CVE-2026-47426 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 29, 2026
wodzen Credited to wodzen
OpenAM Authenticated RCE via Groovy Sandbox Escape High
CVE-2026-47424 was published for org.openidentityplatform.openam:openam-scripting (Maven) Jun 29, 2026
wodzen Credited to wodzen
OpenAM Account Takeover via Unverified Password Change in OAuth2 Module High
CVE-2026-46623 was published for org.openidentityplatform.openam:openam-auth-oauth2 (Maven) Jun 26, 2026
wodzen Credited to wodzen
OpenAM Authentication Bypass via MSISDN LDAP Injection High
CVE-2026-46619 was published for org.openidentityplatform.openam:openam-auth-msisdn (Maven) Jun 26, 2026
wodzen Credited to wodzen
nextflow auth login command has incorrect default permissions Moderate
CVE-2026-48722 was published for io.nextflow:nextflow (Maven) Jun 25, 2026
OpenAM: Unauthenticated Authentication Bypass via RADIUS Spoofing High
CVE-2026-46560 was published for org.openidentityplatform.openam:openam-radius (Maven) Jun 25, 2026
wodzen Credited to wodzen
OpenAM Arbitrary OAuth Token Minting via Push Registration High
CVE-2026-46498 was published for org.openidentityplatform.openam:openam-oauth2 (Maven) Jun 25, 2026
wodzen Credited to wodzen
OpenAM has Unsafe Java Deserialization via SNS High
CVE-2026-45794 was published for org.openidentityplatform.openam:openam-push-notification (Maven) Jun 25, 2026
wodzen Credited to wodzen
OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints Critical
CVE-2026-45052 was published for org.openidentityplatform.openam:openam-federation-library (Maven) Jun 24, 2026
wodzen Credited to wodzen
OpenAM: Pre-auth RCE via Java Deserialization in WebAuthn Authenticator Storage Critical
CVE-2026-45051 was published for org.openidentityplatform.openam:openam-auth-webauthn (Maven) Jun 24, 2026
wodzen Credited to wodzen
OHttpVersionChunkDraft: Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation Moderate
CVE-2026-48480 was published for io.netty.incubator:netty-incubator-codec-ohttp (Maven) Jun 23, 2026
jackson-databind has @JsonView bypass for setterless creator properties Moderate
CVE-2026-54517 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields Moderate
CVE-2026-54516 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties Moderate
CVE-2026-54515 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar, pjfanning, snieguu, and ataillefer pjfanning pjfanning
snieguu snieguu ataillefer ataillefer
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF) Moderate
CVE-2026-54514 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) High
CVE-2026-54513 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString() Moderate
CVE-2026-50193 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
deniz-husaj Credited to deniz-husaj and cowtowncoder cowtowncoder cowtowncoder
jackson-databind has a @JsonView bypass for unwrapped creator parameters Moderate
CVE-2026-54518 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
OpenAM Unauthenticated Session Hijacking via Information Exposure in CDCServlet High
CVE-2026-45049 was published for org.openidentityplatform.openam:openam-federation (Maven) Jun 23, 2026
wodzen Credited to wodzen
OpenAM Authenticated Privilege Escalation via Raw Token Disclosure Session RPC High
CVE-2026-45048 was published for org.openidentityplatform.openam:openam-core (Maven) Jun 23, 2026
wodzen Credited to wodzen
OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI Critical
CVE-2026-46495 was published for org.openidentityplatform.opendj:opendj-server-legacy (Maven) Jun 22, 2026
wodzen Credited to wodzen
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types High
CVE-2026-44795 was published for io.spinnaker.orca:orca-core (Maven) Jun 22, 2026
ProTip! Advisories are also available from the GraphQL API