- Notifications
You must be signed in to change notification settings - Fork2.1k
Security: ckan/ckan
Security
SECURITY.md
If you find a potential security vulnerability please emailsecurity@ckan.org, rather than creating a public issue on GitHub.
We aim to respond to all valid reports within three working days.
Security updates are offered for the2 most recent minor CKAN releases. It is critical to always run the latest patchrelease for a minor version. To find out the currently supported version and learn more about CKAN releases see here:
https://docs.ckan.org/en/latest/maintaining/releases.htmlFixed security vulnerabilites are assigned a CVE and registered usingGitHub Security Advisories, and also included in theCHANGELOG.rst.
Again, only the latest patch release contains all security patches applied so please ensure your CKAN instance is running on a supported version to avoid exposing your users and your data.
- Rotate session identifiers to prevent Session Cookie FixationGHSA-2hvh-cw5c-8q8q published
Oct 29, 2025 byamercaderModerate - Stored XSS vector in Markdown description fieldsGHSA-2r4h-8jxv-w2j8 published
Oct 29, 2025 byamercaderModerate - XSS vector in user uploaded images in group/org and user profilesGHSA-7pq5-qcp6-mcww published
Feb 5, 2025 byamercaderHigh - Potential access to sensitive URLs via CKAN extensions (SSRF)GHSA-g9ph-j5vj-f8wm published
Aug 21, 2024 byamercaderModerate - Solr credentials leak via error message in package_search actionGHSA-2rqw-cfhc-35fh published
Aug 21, 2024 byamercaderModerate - XSS vector in the Datatables view pluginGHSA-r3jc-vhf4-6v32 published
Aug 21, 2024 byamercaderModerate - Potential log injection in reset user endpointGHSA-8g38-3m6v-232j published
Mar 13, 2024 byamercaderModerate - Remote code execution and private information access via crafted resource idsGHSA-446m-hmmm-hm8m published
May 24, 2023 byamercaderCritical - Session secret shared across instances using Docker imagesGHSA-pr8j-v4c8-h62x published
Jan 31, 2023 byamercaderHigh - Out of memory error when submitting the dataset form with a specially-crafted fieldGHSA-7fgc-89cx-w8j5 published
Dec 13, 2023 byamercaderModerate
Learn more about advisories related tockan/ckan in theGitHub Advisory Database