Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

488 advisories

Loading
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender Moderate
GHSA-ffq5-qpvf-xq7x was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames Moderate
GHSA-4jvx-93h3-f45h was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
yard: Possible arbitrary path traversal and file access via yard server Moderate
CVE-2026-41493 was published for yard (RubyGems) Apr 17, 2026
Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption Moderate
CVE-2026-27820 was published for zlib (RubyGems) Apr 16, 2026
rdiscount has an Out-of-bounds Read Moderate
CVE-2026-35201 was published for rdiscount (RubyGems) Apr 6, 2026
WesR Credited to WesR
Rack::Request accepts invalid Host characters, enabling host allowlist bypass Moderate
CVE-2026-34835 was published for rack (RubyGems) Apr 2, 2026
th4s1s Credited to th4s1s, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack has Content-Length mismatch in Rack::Files error responses Moderate
CVE-2026-34831 was published for rack (RubyGems) Apr 2, 2026
Oblivionsage Credited to Oblivionsage, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect Moderate
CVE-2026-34830 was published for rack (RubyGems) Apr 2, 2026
mzfr Credited to mzfr, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory Moderate
CVE-2026-34763 was published for rack (RubyGems) Apr 2, 2026
haruki0409 Credited to haruki0409, ioquatix, and jeremyevans ioquatix ioquatix
jeremyevans jeremyevans
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing Moderate
CVE-2026-32762 was published for rack (RubyGems) Apr 2, 2026
th4s1s Credited to th4s1s, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values Moderate
CVE-2026-26962 was published for rack (RubyGems) Apr 2, 2026
wtn Credited to wtn, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass. Moderate
CVE-2026-26961 was published for rack (RubyGems) Apr 2, 2026
CodeByMoriarty Credited to CodeByMoriarty, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges Moderate
CVE-2026-34826 was published for rack (RubyGems) Apr 2, 2026
orenyomtov Credited to orenyomtov, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack:: Static header_rules bypass via URL-encoded paths Moderate
CVE-2026-34786 was published for rack (RubyGems) Apr 2, 2026
haruki0409 Credited to haruki0409, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
iCalendar has ICS injection via unsanitized URI property values Moderate
CVE-2026-33635 was published for icalendar (RubyGems) Mar 24, 2026
WesR Credited to WesR
Rails Active Storage has possible glob injection in its DiskService Moderate
CVE-2026-33202 was published for activestorage (RubyGems) Mar 23, 2026
Rails Active Support has a possible DoS vulnerability in its number helpers Moderate
CVE-2026-33176 was published for activesupport (RubyGems) Mar 23, 2026
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests Moderate
CVE-2026-33174 was published for activestorage (RubyGems) Mar 23, 2026
Rails Active Storage has possible content type bypass via metadata in direct uploads Moderate
CVE-2026-33173 was published for activestorage (RubyGems) Mar 23, 2026
Rails Active Support has a possible XSS vulnerability in SafeBuffer#% Moderate
CVE-2026-33170 was published for activesupport (RubyGems) Mar 23, 2026
ch4n3-yoon Credited to ch4n3-yoon
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited Moderate
CVE-2026-33169 was published for activesupport (RubyGems) Mar 23, 2026
bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations at Cost=31 on JRuby Moderate
CVE-2026-33306 was published for bcrypt (RubyGems) Mar 19, 2026
Avo has a XSS vulnerability on `return_to` param Moderate
CVE-2026-33209 was published for avo (RubyGems) Mar 18, 2026
timwis Credited to timwis
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to Moderate
CVE-2026-32700 was published for devise (RubyGems) Mar 17, 2026
grantcox Credited to grantcox and albinowax albinowax albinowax
Katello: Denial of Service and potential information disclosure via SQL injection Moderate
CVE-2026-4324 was published for katello (RubyGems) Mar 17, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database