GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,026 advisories
Rack::Request accepts invalid Host characters, enabling host allowlist bypass
Moderate
CVE-2026-34835
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack has Content-Length mismatch in Rack::Files error responses
Moderate
CVE-2026-34831
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
Moderate
CVE-2026-34830
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
High
CVE-2026-34829
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory
Moderate
CVE-2026-34763
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Moderate
CVE-2026-34230
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Moderate
CVE-2026-32762
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values
Moderate
CVE-2026-26962
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
Low
CVE-2026-26961
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
High
CVE-2026-34827
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
Moderate
CVE-2026-34826
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack:: Static header_rules bypass via URL-encoded paths
Moderate
CVE-2026-34786
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack::Static prefix matching can expose unintended files under the static root
High
CVE-2026-34785
was published
for
rack
(RubyGems)
Apr 2, 2026
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
High
CVE-2026-33946
was published
for
mcp
(RubyGems)
Mar 27, 2026
iCalendar has ICS injection via unsanitized URI property values
Moderate
CVE-2026-33635
was published
for
icalendar
(RubyGems)
Mar 24, 2026
ProTip!
Advisories are also available from the
GraphQL API