Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,045 advisories

Loading
Rails has a possible XSS vulnerability in its Action View tag helpers Low
CVE-2026-33168 was published for actionview (RubyGems) Mar 23, 2026
Rails Active Support has a possible DoS vulnerability in its number helpers Moderate
CVE-2026-33176 was published for activesupport (RubyGems) Mar 23, 2026
Rails has a possible XSS vulnerability in its Action Pack debug exceptions Low
CVE-2026-33167 was published for actionpack (RubyGems) Mar 23, 2026
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests Low
CVE-2026-33658 was published for activestorage (RubyGems) Mar 25, 2026
Rails Active Storage has possible Path Traversal in DiskService High
CVE-2026-33195 was published for activestorage (RubyGems) Mar 23, 2026
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited Moderate
CVE-2026-33169 was published for activesupport (RubyGems) Mar 23, 2026
Rails Active Storage has possible content type bypass via metadata in direct uploads Moderate
CVE-2026-33173 was published for activestorage (RubyGems) Mar 23, 2026
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests Moderate
CVE-2026-33174 was published for activestorage (RubyGems) Mar 23, 2026
yard: Possible arbitrary path traversal and file access via yard server Moderate
CVE-2026-41493 was published for yard (RubyGems) Apr 17, 2026
Decidim has a cross-site scripting (XSS) in user name Critical
CVE-2026-23891 was published for decidim-core (RubyGems) Apr 13, 2026
cyberschnaps Credited to cyberschnaps
Decidim's comments API allows access to all commentable resources High
CVE-2026-40870 was published for decidim-api (RubyGems) Apr 14, 2026
ahukkanen Credited to ahukkanen
Decidim amendments can be accepted or rejected by anyone High
CVE-2026-40869 was published for decidim-core (RubyGems) Apr 14, 2026
Uncontrolled resource consumption and loop with unreachable exit condition in facil.io and downstream iodine ruby gem High
CVE-2026-41146 was published for iodine (RubyGems) Apr 14, 2026
michaelknap Credited to michaelknap
Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation Moderate
CVE-2026-1776 was published for camaleon_cms (RubyGems) Mar 10, 2026
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header High
CVE-2026-34230 was published for rack (RubyGems) Apr 2, 2026
kwkr Credited to kwkr, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass. Moderate
CVE-2026-26961 was published for rack (RubyGems) Apr 2, 2026
CodeByMoriarty Credited to CodeByMoriarty, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
GHSA-qc5p-3mg5-9fh8 was published for avo (RubyGems) Apr 24, 2026
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class High
CVE-2026-41316 was published for erb (RubyGems) Apr 24, 2026
TristanInSec Credited to TristanInSec
URI Credential Leakage Bypass over CVE-2025-27221 Low
CVE-2025-61594 was published for uri (RubyGems) Dec 30, 2025
OpenC3 COSMOS: Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool Critical
GHSA-2wvh-87g2-89hr was published for openc3 (RubyGems) Apr 23, 2026
suffs811 Credited to suffs811
OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database Critical
GHSA-v529-vhwc-wfc5 was published for openc3 (RubyGems) Apr 23, 2026
suffs811 Credited to suffs811
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender Moderate
GHSA-ffq5-qpvf-xq7x was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames Moderate
GHSA-4jvx-93h3-f45h was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence High
GHSA-wgx6-g857-jjf7 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
http vulnerable to Exposure of Sensitive Information to an Unauthorized Actor Moderate
CVE-2015-1828 was published for http (RubyGems) Mar 13, 2018
RainSignal Credited to RainSignal
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database