Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

498 advisories

Loading
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape Moderate
CVE-2026-44837 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
view_component: Preview Route Can Dispatch Inherited Helper Methods Moderate
CVE-2026-44836 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler Moderate
CVE-2026-40295 was published for devise (RubyGems) May 8, 2026
offset Credited to offset
Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL Moderate
CVE-2025-67202 was published for sidekiq-cron (RubyGems) May 7, 2026
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content Moderate
CVE-2026-44312 was published for css_parser (RubyGems) May 7, 2026
JLLeitschuh Credited to JLLeitschuh
Nokogiri XSLT transform has a memory leak Moderate
GHSA-v2fc-qm4h-8hqv was published for nokogiri (RubyGems) May 6, 2026
Captainjack-kor Credited to Captainjack-kor and flavorjones flavorjones flavorjones
GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens Moderate
GHSA-3h96-34p3-xm76 was published for graphql (RubyGems) May 5, 2026
d0cs1s-bzhunt Credited to d0cs1s-bzhunt and rmosolgo rmosolgo rmosolgo
net-imap vulnerable to command Injection via "raw" arguments to multiple commands Moderate
CVE-2026-42257 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
net-imap vulnerable to command Injection via unvalidated Symbol inputs Moderate
CVE-2026-42258 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication Moderate
CVE-2026-42256 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender Moderate
CVE-2026-42086 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames Moderate
CVE-2026-42085 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
yard: Possible arbitrary path traversal and file access via yard server Moderate
CVE-2026-41493 was published for yard (RubyGems) Apr 17, 2026
Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption Moderate
CVE-2026-27820 was published for zlib (RubyGems) Apr 16, 2026
rdiscount has an Out-of-bounds Read Moderate
CVE-2026-35201 was published for rdiscount (RubyGems) Apr 6, 2026
WesR Credited to WesR
Rack::Request accepts invalid Host characters, enabling host allowlist bypass Moderate
CVE-2026-34835 was published for rack (RubyGems) Apr 2, 2026
th4s1s Credited to th4s1s, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack has Content-Length mismatch in Rack::Files error responses Moderate
CVE-2026-34831 was published for rack (RubyGems) Apr 2, 2026
Oblivionsage Credited to Oblivionsage, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect Moderate
CVE-2026-34830 was published for rack (RubyGems) Apr 2, 2026
mzfr Credited to mzfr, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory Moderate
CVE-2026-34763 was published for rack (RubyGems) Apr 2, 2026
haruki0409 Credited to haruki0409, ioquatix, and jeremyevans ioquatix ioquatix
jeremyevans jeremyevans
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing Moderate
CVE-2026-32762 was published for rack (RubyGems) Apr 2, 2026
th4s1s Credited to th4s1s, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values Moderate
CVE-2026-26962 was published for rack (RubyGems) Apr 2, 2026
wtn Credited to wtn, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass. Moderate
CVE-2026-26961 was published for rack (RubyGems) Apr 2, 2026
CodeByMoriarty Credited to CodeByMoriarty, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges Moderate
CVE-2026-34826 was published for rack (RubyGems) Apr 2, 2026
orenyomtov Credited to orenyomtov, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack:: Static header_rules bypass via URL-encoded paths Moderate
CVE-2026-34786 was published for rack (RubyGems) Apr 2, 2026
haruki0409 Credited to haruki0409, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
iCalendar has ICS injection via unsanitized URI property values Moderate
CVE-2026-33635 was published for icalendar (RubyGems) Mar 24, 2026
WesR Credited to WesR
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database