Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

509 advisories

Loading
YARD static cache reads raw traversal paths before router sanitization Moderate
CVE-2026-49342 was published for yard (RubyGems) Jun 26, 2026
hibrian827 Credited to hibrian827
fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry` Moderate
CVE-2026-44163 was published for fluent-plugin-opentelemetry (RubyGems) Jun 26, 2026
Oj: intern.c form_attr (uninitialized stack read) Moderate
CVE-2026-54500 was published for oj (RubyGems) Jun 19, 2026
7a6163 Credited to 7a6163
Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]` Moderate
GHSA-5prr-v3j2-97mh was published for nokogiri (RubyGems) Jun 19, 2026
cla7aye15I4nd Credited to cla7aye15I4nd
katello: missing repository authorization in content_uploads exposes cross-product content existence Moderate
CVE-2026-12515 was published for katello (RubyGems) Jun 17, 2026
Net::IMAP: Command Injection via ID command argument Moderate
CVE-2026-47242 was published for net-imap (RubyGems) Jun 9, 2026
nevans Credited to nevans
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument Moderate
CVE-2026-47240 was published for net-imap (RubyGems) Jun 9, 2026
nevans Credited to nevans
Spree: CSV Formula Injection in Customer Export Moderate
GHSA-xf4v-w5x5-pv79 was published for spree (RubyGems) Jun 4, 2026
StarPlatinu Credited to StarPlatinu
Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret Moderate
CVE-2026-44476 was published for doorkeeper-openid_connect (RubyGems) Jun 4, 2026
55728 Credited to 55728
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters Moderate
CVE-2026-44587 was published for carrierwave (RubyGems) May 27, 2026
snoopysecurity Credited to snoopysecurity and bilerden bilerden bilerden
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape Moderate
CVE-2026-44837 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
view_component: Preview Route Can Dispatch Inherited Helper Methods Moderate
CVE-2026-44836 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler Moderate
CVE-2026-40295 was published for devise (RubyGems) May 8, 2026
offset Credited to offset
Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL Moderate
CVE-2025-67202 was published for sidekiq-cron (RubyGems) May 7, 2026
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content Moderate
CVE-2026-44312 was published for css_parser (RubyGems) May 7, 2026
JLLeitschuh Credited to JLLeitschuh
Nokogiri XSLT transform has a memory leak Moderate
GHSA-v2fc-qm4h-8hqv was published for nokogiri (RubyGems) May 6, 2026
Captainjack-kor Credited to Captainjack-kor and flavorjones flavorjones flavorjones
GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens Moderate
GHSA-3h96-34p3-xm76 was published for graphql (RubyGems) May 5, 2026
d0cs1s-bzhunt Credited to d0cs1s-bzhunt and rmosolgo rmosolgo rmosolgo
net-imap vulnerable to command Injection via "raw" arguments to multiple commands Moderate
CVE-2026-42257 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio and nevans nevans nevans
net-imap vulnerable to command Injection via unvalidated Symbol inputs Moderate
CVE-2026-42258 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication Moderate
CVE-2026-42256 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender Moderate
CVE-2026-42086 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames Moderate
CVE-2026-42085 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
yard: Possible arbitrary path traversal and file access via yard server Moderate
CVE-2026-41493 was published for yard (RubyGems) Apr 17, 2026
Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption Moderate
CVE-2026-27820 was published for zlib (RubyGems) Apr 16, 2026
rdiscount has an Out-of-bounds Read Moderate
CVE-2026-35201 was published for rdiscount (RubyGems) Apr 6, 2026
WesR Credited to WesR
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database