Is land.oras:oras-java-sdk affected by GHSA-xm96-gfjx-jcrc?

Maven land.oras:oras-java-sdk is affected in <0.6.2.

Is GHSA-xm96-gfjx-jcrc being exploited?

Not on the CISA KEV list. EPSS exploit probability is not available.

high

GHSA-xm96-gfjx-jcrc

Q: Is GHSA-xm96-gfjx-jcrc being exploited?

Not on the CISA KEV list. EPSS exploit probability is not available.

Maven · land.oras:oras-java-sdk

Summary

ORAS Java: Path traversal in pullArtifact via attacker-controlled org.opencontainers.image.title annotation

Severity: high
Published: 2026-05-19

References

https://github.com/oras-project/oras-java/security/advisories/GHSA-xm96-gfjx-jcrc
https://github.com/oras-project/oras-java

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.