Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,061 advisories

Loading
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351 High
CVE-2026-45363 was published for jwt (RubyGems) May 18, 2026
SnailSploit Credited to SnailSploit
Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping Low
CVE-2026-33637 was published for faraday (RubyGems) May 18, 2026
Pirikara Credited to Pirikara
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape Moderate
CVE-2026-44837 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
view_component: Preview Route Can Dispatch Inherited Helper Methods Moderate
CVE-2026-44836 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler Moderate
CVE-2026-40295 was published for devise (RubyGems) May 8, 2026
offset Credited to offset
Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL Moderate
CVE-2025-67202 was published for sidekiq-cron (RubyGems) May 7, 2026
katalyst-koi: Session cookies can be replayed after user logout High
CVE-2026-44511 was published for katalyst-koi (RubyGems) May 7, 2026
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content Moderate
CVE-2026-44312 was published for css_parser (RubyGems) May 7, 2026
JLLeitschuh Credited to JLLeitschuh
Nokogiri XSLT transform has a memory leak Moderate
GHSA-v2fc-qm4h-8hqv was published for nokogiri (RubyGems) May 6, 2026
Captainjack-kor Credited to Captainjack-kor and flavorjones flavorjones flavorjones
Nokogiri CSS selector tokenizer has regular expression backtracking High
GHSA-c4rq-3m3g-8wgx was published for nokogiri (RubyGems) May 6, 2026
colby-swandale Credited to colby-swandale and flavorjones flavorjones flavorjones
GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens Moderate
GHSA-3h96-34p3-xm76 was published for graphql (RubyGems) May 5, 2026
d0cs1s-bzhunt Credited to d0cs1s-bzhunt and rmosolgo rmosolgo rmosolgo
net-imap vulnerable to command Injection via "raw" arguments to multiple commands Moderate
CVE-2026-42257 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
net-imap vulnerable to command Injection via unvalidated Symbol inputs Moderate
CVE-2026-42258 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication Moderate
CVE-2026-42256 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
net-imap has quadratic complexity when reading response literals Low
CVE-2026-42245 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
net-imap vulnerable to STARTTLS stripping via invalid response timing High
CVE-2026-42246 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
CVE-2026-42205 was published for avo (RubyGems) Apr 24, 2026
xIllunight Credited to xIllunight
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class High
CVE-2026-41316 was published for erb (RubyGems) Apr 24, 2026
TristanInSec Credited to TristanInSec
OpenC3 COSMOS: Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool Critical
GHSA-2wvh-87g2-89hr was published for openc3 (RubyGems) Apr 23, 2026
suffs811 Credited to suffs811
OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database Critical
CVE-2026-42087 was published for openc3 (RubyGems) Apr 23, 2026
suffs811 Credited to suffs811
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender Moderate
CVE-2026-42086 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames Moderate
CVE-2026-42085 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence High
CVE-2026-42084 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
yard: Possible arbitrary path traversal and file access via yard server Moderate
CVE-2026-41493 was published for yard (RubyGems) Apr 17, 2026
Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption Moderate
CVE-2026-27820 was published for zlib (RubyGems) Apr 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database