Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

373 advisories

Loading
Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http` High
CVE-2026-44161 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
Fluentd is Vulnerable to Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward` High
CVE-2026-44160 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API High
CVE-2026-44025 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
Concurrent Ruby : `AtomicReference#update` livelocks when the stored value is `Float::NAN` High
CVE-2026-54904 was published for concurrent-ruby (RubyGems) Jun 19, 2026
pranjalithakur Credited to pranjalithakur
Oj: Integer Overflow in Oj.load 2GB String Handling High
CVE-2026-54903 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback High
CVE-2026-54902 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking High
CVE-2026-54901 was published for oj (RubyGems) Jun 19, 2026
Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling High
CVE-2026-54900 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation High
CVE-2026-54898 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close High
CVE-2026-54897 was published for oj (RubyGems) Jun 19, 2026
Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent High
CVE-2026-54896 was published for oj (RubyGems) Jun 19, 2026
Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input High
CVE-2026-54592 was published for oj (RubyGems) Jun 19, 2026
7a6163 Credited to 7a6163
Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters High
CVE-2026-54297 was published for faraday (RubyGems) Jun 19, 2026
kocaemre Credited to kocaemre, G-Rath, iBotPeaches, Starfox64, sfriedman-cape, and maikelvdh G-Rath G-Rath
iBotPeaches iBotPeaches Starfox64 Starfox64 sfriedman-cape sfriedman-cape maikelvdh maikelvdh
Oj: Stack Buffer Overflow in Oj.dump via Large Indent High
CVE-2026-54502 was published for oj (RubyGems) Jun 19, 2026
cla7aye15I4nd Credited to cla7aye15I4nd and yuhang-lab yuhang-lab yuhang-lab
Oj: Use-After-Free in Oj::Parser Symbol Key Cache Toggle High
CVE-2026-54899 was published for oj (RubyGems) Jun 19, 2026
AlchemyCMS: Unauthenticated nested page API leaks restricted & unpublished content High
GHSA-mqq5-j7w8-2hgh was published for alchemy_cms (RubyGems) Jun 19, 2026
Haxset Credited to Haxset
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections High
CVE-2026-47737 was published for puma (RubyGems) Jun 9, 2026
vxhex Credited to vxhex and nateberkopec nateberkopec nateberkopec
Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion High
CVE-2026-47736 was published for puma (RubyGems) Jun 8, 2026
Pirikara Credited to Pirikara
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351 High
CVE-2026-45363 was published for jwt (RubyGems) May 18, 2026
SnailSploit Credited to SnailSploit, perryn, evansalter, and canderson-activatecare perryn perryn
evansalter evansalter canderson-activatecare canderson-activatecare
katalyst-koi: Session cookies can be replayed after user logout High
CVE-2026-44511 was published for katalyst-koi (RubyGems) May 7, 2026
Nokogiri CSS selector tokenizer has regular expression backtracking High
GHSA-c4rq-3m3g-8wgx was published for nokogiri (RubyGems) May 6, 2026
colby-swandale Credited to colby-swandale and flavorjones flavorjones flavorjones
net-imap vulnerable to STARTTLS stripping via invalid response timing High
CVE-2026-42246 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
CVE-2026-42205 was published for avo (RubyGems) Apr 24, 2026
xIllunight Credited to xIllunight
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class High
CVE-2026-41316 was published for erb (RubyGems) Apr 24, 2026
TristanInSec Credited to TristanInSec
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence High
CVE-2026-42084 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database