GitHub Security Advisories (GHSA) are authoritative notices for vulnerable open-source packages and ecosystems (for example npm, PyPI, or Maven), usually with a linked CVE. Use the search box to find a GHSA or CVE, narrow by ecosystem or severity, or match phrases in the summary.
| GHSA | CVE | Severity | Type | Summary | Published |
|---|---|---|---|---|---|
| GHSA-h3m5-97jq-qjrf | — | critical | reviewed | OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete) | 2026-06-19 21:43:17 UTC |
| GHSA-c7jm-38gq-h67h | — | medium | reviewed | http4k: `ServerFilters.DigestAuth` / `DigestAuthProvider` defaulted to an always-true nonce verifier, disabling replay protection in default deployments | 2026-06-19 21:16:09 UTC |
| GHSA-pr33-38xx-6r26 | — | medium | reviewed | http4k: BasicCookieStorage` (renamed `InsecureCookieStorage`) did not enforce RFC 6265 cookie scoping; new `DefaultCookieStorage` is now the default | 2026-06-19 21:16:07 UTC |
| GHSA-m4w9-hjfw-vwj4 | — | high | reviewed | http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac` | 2026-06-19 21:16:03 UTC |
| GHSA-jrpc-7vxp-69p6 | — | medium | reviewed | http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact` | 2026-06-19 21:15:59 UTC |
| GHSA-gx93-m64w-5m6h | CVE-2026-55847 | medium | reviewed | Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering | 2026-06-19 21:15:53 UTC |
| GHSA-82cg-3hv7-74gc | CVE-2026-55846 | medium | reviewed | Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read | 2026-06-19 21:15:50 UTC |
| GHSA-qmch-v2q9-wg4p | CVE-2026-55773 | high | reviewed | CedarJava has policy injection vulnerability | 2026-06-19 14:39:25 UTC |
| GHSA-93g4-m6xv-cmvr | CVE-2026-55772 | high | reviewed | CedarJava has type confusion vulnerability | 2026-06-19 14:38:43 UTC |
| GHSA-xm3x-9cfw-jhx4 | CVE-2026-55414 | medium | reviewed | NL Portal Backend Libraries: Unauthenticated form resolver forwards the privileged Objecten-API token to a caller-supplied URL (SSRF) | 2026-06-19 14:17:18 UTC |
| GHSA-hgw6-8c77-v4gq | CVE-2026-11752 | medium | reviewed | Armeria: External Control of File Name or Path in xDS SDS DataSource | 2026-06-18 17:22:17 UTC |
| GHSA-jr45-52cw-69h5 | CVE-2026-54683 | medium | reviewed | NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463) | 2026-06-18 17:20:14 UTC |
| GHSA-47qp-hqvx-6r3f | — | high | reviewed | JLine3 Telnet server: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables | 2026-06-18 13:07:25 UTC |
| GHSA-2r2c-cx56-8933 | — | high | reviewed | JLine3 Telnet server: Unauthenticated Remote DoS via Unbounded Telnet NAWS Terminal Geometry | 2026-06-18 13:07:16 UTC |
| GHSA-2c85-rfcc-g74j | — | high | reviewed | Karate Mock Server RCE via embedded expression evaluation of request-derived data | 2026-06-18 13:06:46 UTC |
| GHSA-r427-j2h7-wv3m | CVE-2026-55226 | medium | reviewed | Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator | 2026-06-18 13:04:49 UTC |
| GHSA-mw9r-p8xp-wx96 | CVE-2026-55225 | high | reviewed | Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator` | 2026-06-18 13:04:43 UTC |
| GHSA-2f55-g35j-5jmf | CVE-2026-55471 | critical | reviewed | HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory | 2026-06-17 18:47:51 UTC |
| GHSA-fxj4-p9xp-37v5 | CVE-2026-55470 | high | reviewed | HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS | 2026-06-17 18:47:23 UTC |
| GHSA-r4gv-qr8j-p3pg | CVE-2026-55760 | high | reviewed | handlebars.java FileTemplateLoader Path Traversal | 2026-06-17 18:42:09 UTC |