Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

373 advisories

Loading
Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters High
CVE-2026-54297 was published for faraday (RubyGems) Jun 19, 2026
kocaemre Credited to kocaemre, G-Rath, iBotPeaches, Starfox64, sfriedman-cape, and maikelvdh G-Rath G-Rath
iBotPeaches iBotPeaches Starfox64 Starfox64 sfriedman-cape sfriedman-cape maikelvdh maikelvdh
Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http` High
CVE-2026-44161 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
Fluentd is Vulnerable to Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward` High
CVE-2026-44160 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API High
CVE-2026-44025 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
Concurrent Ruby : `AtomicReference#update` livelocks when the stored value is `Float::NAN` High
CVE-2026-54904 was published for concurrent-ruby (RubyGems) Jun 19, 2026
pranjalithakur Credited to pranjalithakur
Oj: Integer Overflow in Oj.load 2GB String Handling High
CVE-2026-54903 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback High
CVE-2026-54902 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking High
CVE-2026-54901 was published for oj (RubyGems) Jun 19, 2026
Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling High
CVE-2026-54900 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation High
CVE-2026-54898 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close High
CVE-2026-54897 was published for oj (RubyGems) Jun 19, 2026
Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent High
CVE-2026-54896 was published for oj (RubyGems) Jun 19, 2026
Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input High
CVE-2026-54592 was published for oj (RubyGems) Jun 19, 2026
7a6163 Credited to 7a6163
Oj: Stack Buffer Overflow in Oj.dump via Large Indent High
CVE-2026-54502 was published for oj (RubyGems) Jun 19, 2026
cla7aye15I4nd Credited to cla7aye15I4nd and yuhang-lab yuhang-lab yuhang-lab
Oj: Use-After-Free in Oj::Parser Symbol Key Cache Toggle High
CVE-2026-54899 was published for oj (RubyGems) Jun 19, 2026
AlchemyCMS: Unauthenticated nested page API leaks restricted & unpublished content High
GHSA-mqq5-j7w8-2hgh was published for alchemy_cms (RubyGems) Jun 19, 2026
Haxset Credited to Haxset
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class High
CVE-2026-41316 was published for erb (RubyGems) Apr 24, 2026
TristanInSec Credited to TristanInSec
Nokogiri affected by libxslt Use of Uninitialized Resource/Use After Free vulnerability High
CVE-2019-18197 was published for nokogiri (RubyGems) May 24, 2022
libxslt Type Confusion vulnerability that affects Nokogiri High
CVE-2019-13118 was published for nokogiri (RubyGems) May 24, 2022
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections High
CVE-2026-47737 was published for puma (RubyGems) Jun 9, 2026
vxhex Credited to vxhex and nateberkopec nateberkopec nateberkopec
Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion High
CVE-2026-47736 was published for puma (RubyGems) Jun 8, 2026
Pirikara Credited to Pirikara
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
CVE-2026-42205 was published for avo (RubyGems) Apr 24, 2026
xIllunight Credited to xIllunight
Uncontrolled resource consumption and loop with unreachable exit condition in facil.io and downstream iodine ruby gem High
CVE-2026-41146 was published for iodine (RubyGems) Apr 14, 2026
michaelknap Credited to michaelknap
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351 High
CVE-2026-45363 was published for jwt (RubyGems) May 18, 2026
SnailSploit Credited to SnailSploit, perryn, evansalter, and canderson-activatecare perryn perryn
evansalter evansalter canderson-activatecare canderson-activatecare
Decidim's comments API allows access to all commentable resources High
CVE-2026-40870 was published for decidim-api (RubyGems) Apr 14, 2026
ahukkanen Credited to ahukkanen
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database