GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
498 advisories
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content
Moderate
CVE-2026-44312
was published
for
css_parser
(RubyGems)
May 7, 2026
net-imap vulnerable to command Injection via unvalidated Symbol inputs
Moderate
CVE-2026-42258
was published
for
net-imap
(RubyGems)
May 4, 2026
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape
Moderate
CVE-2026-44837
was published
for
view_component
(RubyGems)
May 8, 2026
view_component: Preview Route Can Dispatch Inherited Helper Methods
Moderate
CVE-2026-44836
was published
for
view_component
(RubyGems)
May 8, 2026
net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication
Moderate
CVE-2026-42256
was published
for
net-imap
(RubyGems)
May 4, 2026
rdiscount has an Out-of-bounds Read
Moderate
CVE-2026-35201
was published
for
rdiscount
(RubyGems)
Apr 6, 2026
Rack::Request accepts invalid Host characters, enabling host allowlist bypass
Moderate
CVE-2026-34835
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack has Content-Length mismatch in Rack::Files error responses
Moderate
CVE-2026-34831
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
Moderate
CVE-2026-34830
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory
Moderate
CVE-2026-34763
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Moderate
CVE-2026-32762
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values
Moderate
CVE-2026-26962
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
Moderate
CVE-2026-26961
was published
for
rack
(RubyGems)
Apr 2, 2026
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
Moderate
CVE-2026-33174
was published
for
activestorage
(RubyGems)
Mar 23, 2026
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
Moderate
CVE-2026-33170
was published
for
activesupport
(RubyGems)
Mar 23, 2026
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
Moderate
CVE-2026-33169
was published
for
activesupport
(RubyGems)
Mar 23, 2026
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
Moderate
CVE-2026-34826
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack:: Static header_rules bypass via URL-encoded paths
Moderate
CVE-2026-34786
was published
for
rack
(RubyGems)
Apr 2, 2026
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Moderate
CVE-2026-42257
was published
for
net-imap
(RubyGems)
May 4, 2026
Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
Moderate
CVE-2026-40295
was published
for
devise
(RubyGems)
May 8, 2026
ProTip!
Advisories are also available from the
GraphQL API