Please follow the security policy to report a security vulnerability or concern.
Security: oras-project/oras-java
Security
SECURITY.md
-
Symlink-based path traversal in ArchiveUtils.untar / unzip allows arbitrary file write outside extraction directoryGHSA-j6hm-v3x2-qv6j published
May 27, 2026 by jonesbusyLow -
Path traversal in pullArtifact via attacker-controlled org.opencontainers.image.title annotationGHSA-xm96-gfjx-jcrc published
May 13, 2026 by jonesbusyHigh
Learn more about advisories related to oras-project/oras-java in the GitHub Advisory Database