All Nominatim releases receive security updates for two years.
The following table lists the end of support for all currently supported versions.
Version | End of support for security updates |
---|---|
4.5.x | 2026-09-12 |
4.4.x | 2026-03-07 |
4.3.x | 2025-09-07 |
4.2.x | 2024-11-24 |
If you believe, you have found an issue in Nominatim that has implications on security, please send a description of the issue to security@nominatim.org. You will receive an acknowledgement of your mail within 3 work days where we also notify you of the next steps.
** The following section only applies to security issues found in released versions. Issues that concern the master development branch only will be fixed immediately on the branch with the corresponding PR containing the description of the nature and severity of the issue. **
Patches for identified security issues are applied to all affected versions and new minor versions are released. At the same time we release a statement at the Nominatim blog describing the nature of the incident. Announcements will also be published at the geocoding mailinglist.
- 2023-11-20 - SQL injection vulnerability
- 2023-02-21 - cross-site scripting vulnerability
- 2020-05-04 - SQL injection issue on /details endpoint