Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

86 advisories

Loading
ex_aws_sns: Trusted-attacker `SigningCertURL` permits complete SNS signature bypass High
GHSA-8jgf-23q5-x7xx was published for ex_aws_sns (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich, bernardd, and maennchen bernardd bernardd
maennchen maennchen
Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes High
CVE-2026-47067 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has unbounded buffer accumulation in WebSocket High
CVE-2026-47073 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has CRLF / header injection in WebSocket upgrade request Moderate
CVE-2026-47072 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has CR/LF injection in query parameter Moderate
CVE-2026-47075 was published for hackney (Erlang) Jun 26, 2026
tepel-chen Credited to tepel-chen and maennchen maennchen maennchen
Hackney: Per-chunk timeout with unbounded body accumulation enables slow-drip OOM High
CVE-2026-47074 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body Moderate
CVE-2026-47070 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host Moderate
CVE-2026-47076 was published for hackney (Erlang) Jun 26, 2026
Ganbagana Credited to Ganbagana and maennchen maennchen maennchen
Hackney has CRLF / header injection via unvalidated `domain` and `path` options Low
CVE-2026-47069 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney: `ssl:connect/2` post-handshake upgrade has no timeout High
CVE-2026-47071 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has an infinite loop on non-token byte at start of an Alt-Svc entry High
CVE-2026-47066 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Relyra SAML SignatureValue not cryptographically verified -> authentication bypass Critical
CVE-2026-49454 was published for relyra (Erlang) Jun 26, 2026
earmark: Stored XSS via unescaped HTML attribute values Moderate
CVE-2026-48591 was published for earmark (Erlang) Jun 17, 2026
PhoenixStorybook has cross-session PubSub topic injection via URL parameter Low
CVE-2026-47068 was published for phoenix_storybook (Erlang) Jun 9, 2026
PJUllrich Credited to PJUllrich, cblavier, and maennchen cblavier cblavier
maennchen maennchen
PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS) High
CVE-2026-8469 was published for phoenix_storybook (Erlang) Jun 9, 2026
PJUllrich Credited to PJUllrich, cblavier, and maennchen cblavier cblavier
maennchen maennchen
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground Critical
CVE-2026-8467 was published for phoenix_storybook (Erlang) Jun 9, 2026
maennchen Credited to maennchen, ndelphit, cnkk, and cblavier ndelphit ndelphit
cnkk cnkk cblavier cblavier
Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service High
CVE-2026-8468 was published for plug (Erlang) May 20, 2026
maennchen Credited to maennchen and josevalim josevalim josevalim
Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder High
CVE-2026-39806 was published for bandit (Erlang) May 19, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
Bandit: Unauthenticated one-shot DoS via `Transfer-Encoding: chunked` High
CVE-2026-39803 was published for bandit (Erlang) May 19, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
Postgrex: Channel-name SQL injection in `Postgrex.Notifications.listen/3` High
CVE-2026-32687 was published for postgrex (Erlang) May 18, 2026
PJUllrich Credited to PJUllrich
Absinthe: Quadratic fragment-name uniqueness check High
CVE-2026-43967 was published for absinthe (Erlang) May 14, 2026
PJUllrich Credited to PJUllrich and cschiewek cschiewek cschiewek
Absinthe: Unbounded atom creation from parsed directive name High
CVE-2026-42793 was published for absinthe (Erlang) May 14, 2026
PJUllrich Credited to PJUllrich and cschiewek cschiewek cschiewek
Cowboy: Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy High
CVE-2026-8466 was published for cowboy (Erlang) May 13, 2026
cowlib: Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame High
CVE-2026-43970 was published for cowlib (Erlang) May 13, 2026
Decimal: Unbounded exponent in `Decimal.new` enables unauthenticated DoS Moderate
CVE-2026-32686 was published for decimal (Erlang) May 12, 2026
PJUllrich Credited to PJUllrich, ericmj, josevalim, wojtekmach, maennchen, ruslandoga, and warmwaffles ericmj ericmj
josevalim josevalim wojtekmach wojtekmach maennchen maennchen ruslandoga ruslandoga warmwaffles warmwaffles
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database