Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,061 advisories

Loading
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351 High
CVE-2026-45363 was published for jwt (RubyGems) May 18, 2026
SnailSploit Credited to SnailSploit
Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping Low
CVE-2026-33637 was published for faraday (RubyGems) May 18, 2026
Pirikara Credited to Pirikara
katalyst-koi: Session cookies can be replayed after user logout High
CVE-2026-44511 was published for katalyst-koi (RubyGems) May 7, 2026
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content Moderate
CVE-2026-44312 was published for css_parser (RubyGems) May 7, 2026
JLLeitschuh Credited to JLLeitschuh
net-imap vulnerable to command Injection via unvalidated Symbol inputs Moderate
CVE-2026-42258 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape Moderate
CVE-2026-44837 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
view_component: Preview Route Can Dispatch Inherited Helper Methods Moderate
CVE-2026-44836 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication Moderate
CVE-2026-42256 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
net-imap has quadratic complexity when reading response literals Low
CVE-2026-42245 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
net-imap vulnerable to STARTTLS stripping via invalid response timing High
CVE-2026-42246 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts High
CVE-2026-40069 was published for bsv-sdk (RubyGems) Apr 9, 2026
sgbett Credited to sgbett
bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths) High
CVE-2026-40070 was published for bsv-sdk (RubyGems) Apr 9, 2026
sgbett Credited to sgbett
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization Critical
CVE-2026-39324 was published for rack-session (RubyGems) Apr 8, 2026
sm1ee Credited to sm1ee, ioquatix, and jeremyevans ioquatix ioquatix
jeremyevans jeremyevans
Addressable has a Regular Expression Denial of Service in Addressable templates High
CVE-2026-35611 was published for addressable (RubyGems) Apr 8, 2026
jamfish Credited to jamfish and sporkmonger sporkmonger sporkmonger
rdiscount has an Out-of-bounds Read Moderate
CVE-2026-35201 was published for rdiscount (RubyGems) Apr 6, 2026
WesR Credited to WesR
Rack::Request accepts invalid Host characters, enabling host allowlist bypass Moderate
CVE-2026-34835 was published for rack (RubyGems) Apr 2, 2026
th4s1s Credited to th4s1s, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack has Content-Length mismatch in Rack::Files error responses Moderate
CVE-2026-34831 was published for rack (RubyGems) Apr 2, 2026
Oblivionsage Credited to Oblivionsage, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect Moderate
CVE-2026-34830 was published for rack (RubyGems) Apr 2, 2026
mzfr Credited to mzfr, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads High
CVE-2026-34829 was published for rack (RubyGems) Apr 2, 2026
th4s1s Credited to th4s1s, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters High
CVE-2026-34827 was published for rack (RubyGems) Apr 2, 2026
TaiPhung217 Credited to TaiPhung217, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory Moderate
CVE-2026-34763 was published for rack (RubyGems) Apr 2, 2026
haruki0409 Credited to haruki0409, ioquatix, and jeremyevans ioquatix ioquatix
jeremyevans jeremyevans
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header High
CVE-2026-34230 was published for rack (RubyGems) Apr 2, 2026
kwkr Credited to kwkr, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing Moderate
CVE-2026-32762 was published for rack (RubyGems) Apr 2, 2026
th4s1s Credited to th4s1s, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values Moderate
CVE-2026-26962 was published for rack (RubyGems) Apr 2, 2026
wtn Credited to wtn, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass. Moderate
CVE-2026-26961 was published for rack (RubyGems) Apr 2, 2026
CodeByMoriarty Credited to CodeByMoriarty, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database