Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,069 advisories

Loading
Net::IMAP: Command Injection via ID command argument Moderate
CVE-2026-47242 was published for net-imap (RubyGems) Jun 9, 2026
nevans Credited to nevans
Net::IMAP: Denial of Service via incomplete raw argument validation Low
CVE-2026-47241 was published for net-imap (RubyGems) Jun 9, 2026
fg0x0 Credited to fg0x0
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument Moderate
CVE-2026-47240 was published for net-imap (RubyGems) Jun 9, 2026
nevans Credited to nevans
Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret Moderate
CVE-2026-44476 was published for doorkeeper-openid_connect (RubyGems) Jun 4, 2026
55728 Credited to 55728
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters Moderate
CVE-2026-44587 was published for carrierwave (RubyGems) May 27, 2026
snoopysecurity Credited to snoopysecurity and bilerden bilerden bilerden
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class High
CVE-2026-41316 was published for erb (RubyGems) Apr 24, 2026
TristanInSec Credited to TristanInSec
Nokogiri affected by libxslt Use of Uninitialized Resource/Use After Free vulnerability High
CVE-2019-18197 was published for nokogiri (RubyGems) May 24, 2022
libxslt Type Confusion vulnerability that affects Nokogiri High
CVE-2019-13118 was published for nokogiri (RubyGems) May 24, 2022
Uninitialized read in Nokogiri gem Moderate
CVE-2019-13117 was published for nokogiri (RubyGems) May 24, 2022
Nokogiri vulnerable to libxslt protection mechanism bypass Critical
CVE-2019-11068 was published for nokogiri (RubyGems) May 13, 2022
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections High
CVE-2026-47737 was published for puma (RubyGems) Jun 9, 2026
vxhex Credited to vxhex and nateberkopec nateberkopec nateberkopec
Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion High
CVE-2026-47736 was published for puma (RubyGems) Jun 8, 2026
Pirikara Credited to Pirikara
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape Moderate
CVE-2026-44837 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
view_component: Preview Route Can Dispatch Inherited Helper Methods Moderate
CVE-2026-44836 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content Moderate
CVE-2026-44312 was published for css_parser (RubyGems) May 7, 2026
JLLeitschuh Credited to JLLeitschuh
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
CVE-2026-42205 was published for avo (RubyGems) Apr 24, 2026
xIllunight Credited to xIllunight
Uncontrolled resource consumption and loop with unreachable exit condition in facil.io and downstream iodine ruby gem High
CVE-2026-41146 was published for iodine (RubyGems) Apr 14, 2026
michaelknap Credited to michaelknap
Bootstrap Cross-site Scripting vulnerability Moderate
CVE-2018-14042 was published for bootstrap (RubyGems) Sep 13, 2018
tdunlap607 Credited to tdunlap607 and 1Jesper1 1Jesper1 1Jesper1
Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption Moderate
CVE-2026-27820 was published for zlib (RubyGems) Apr 16, 2026
Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping Low
CVE-2026-33637 was published for faraday (RubyGems) May 18, 2026
Pirikara Credited to Pirikara
Spree: CSV Formula Injection in Customer Export Moderate
GHSA-xf4v-w5x5-pv79 was published for spree (RubyGems) Jun 4, 2026
StarPlatinu Credited to StarPlatinu
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351 High
CVE-2026-45363 was published for jwt (RubyGems) May 18, 2026
SnailSploit Credited to SnailSploit, perryn, evansalter, and canderson-activatecare perryn perryn
evansalter evansalter canderson-activatecare canderson-activatecare
Bootstrap Vulnerable to Cross-Site Scripting Moderate
CVE-2019-8331 was published for Bootstrap.Less (RubyGems) Feb 22, 2019
flavorjones Credited to flavorjones and jasnow jasnow jasnow
Katello: Denial of Service and potential information disclosure via SQL injection Moderate
CVE-2026-4324 was published for katello (RubyGems) Mar 17, 2026
OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database Critical
CVE-2026-42087 was published for openc3 (RubyGems) Apr 23, 2026
suffs811 Credited to suffs811
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database