Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,954
Maven
5,000+
npm
4,606
NuGet
787
pip
4,305
Pub
12
RubyGems
984
Rust
1,121
Swift
49
Unreviewed advisories
All unreviewed
5,000+

332 advisories

Loading
Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values High
GHSA-w67g-2h6v-vjgq was published for phlex (RubyGems) Feb 6, 2026
Unauthenticated Spree Commerce users can access all guest addresses High
CVE-2026-25758 was published for spree_api (RubyGems) Feb 5, 2026
p-
Credited to p-
Unauthenticated Spree Commerce users can view completed guest orders by Order ID High
CVE-2026-25757 was published for spree_storefront (RubyGems) Feb 5, 2026
p-
Credited to p-
Decidim's private data exports can lead to data leaks High
CVE-2025-65017 was published for decidim (RubyGems) Feb 3, 2026
ahukkanen
Credited to ahukkanen
foreman_kubevirt disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set High
CVE-2026-1531 was published for foreman_kubevirt (RubyGems) Feb 2, 2026
fog-kubevirt allows remote attacker to perform MITM attack due to disabled certificate validation High
CVE-2026-1530 was published for fog-kubevirt (RubyGems) Feb 2, 2026
ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection High
GHSA-5qw5-wf2q-f538 was published for activerecord-jdbc-adapter (RubyGems) Jan 16, 2026
Spree API has Unauthenticated IDOR - Guest Address High
CVE-2026-22589 was published for spree_core (RubyGems) Jan 8, 2026
Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles High
GHSA-96qw-h329-v5rg was published for shakapacker (RubyGems) Jan 8, 2026
httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage High
CVE-2025-68696 was published for httparty (RubyGems) Dec 23, 2025
lambdasawa ashkulz
Credited to lambdasawa and ashkulz
Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
GHSA-4249-gjr8-jpq3 was published for prosemirror_to_html (RubyGems) Nov 13, 2025 withdrawn
Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
GHSA-vfpf-xmwh-8m65 was published for prosemirror_to_html (RubyGems) Nov 7, 2025 withdrawn
MQTT does not validate hostnames High
CVE-2025-12790 was published for mqtt (RubyGems) Nov 6, 2025
Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
CVE-2025-64501 was published for prosemirror_to_html (RubyGems) Nov 6, 2025
polypixeldev Luke-Oldenburg
Spone 9021007
Credited to polypixeldev, Luke-Oldenburg, Spone, and 9021007
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing High
CVE-2025-61919 was published for rack (RubyGems) Oct 10, 2025
Pirikara jeremyevans
ioquatix
Credited to Pirikara, jeremyevans, and ioquatix
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion) High
CVE-2025-61772 was published for rack (RubyGems) Oct 7, 2025
kwkr jeremyevans
ioquatix
Credited to kwkr, jeremyevans, and ioquatix
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion) High
CVE-2025-61771 was published for rack (RubyGems) Oct 7, 2025
kwkr jeremyevans
ioquatix
Credited to kwkr, jeremyevans, and ioquatix
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion) High
CVE-2025-61770 was published for rack (RubyGems) Oct 7, 2025
kwkr ioquatix
jeremyevans
Credited to kwkr, ioquatix, and jeremyevans
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters High
CVE-2025-59830 was published for rack (RubyGems) Sep 25, 2025
kwkr jeremyevans
ioquatix
Credited to kwkr, jeremyevans, and ioquatix
Withdrawn Advisory: Thor can construct an unsafe shell command from library input. High
CVE-2025-54314 was published for thor (RubyGems) Jul 20, 2025 withdrawn
odaysec
Credited to odaysec
OpenC3 COSMOS Vulnerable to Directory Traversal via openc3-api/tables endpoint High
CVE-2025-28382 was published for openc3-cosmos-tool-iframe (RubyGems) Jun 13, 2025
Rack has an Unbounded-Parameter DoS in Rack::QueryParser High
CVE-2025-46727 was published for rack (RubyGems) May 8, 2025
TaiPhung217 jeremyevans
ioquatix
Credited to TaiPhung217, jeremyevans, and ioquatix
Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs High
GHSA-mrxw-mxhj-p664 was published for nokogiri (RubyGems) Mar 14, 2025
Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses High
CVE-2025-25293 was published for ruby-saml (RubyGems) Mar 12, 2025
p-
Credited to p-
Out-of-bounds Read in Ruby JSON Parser High
CVE-2025-27788 was published for json (RubyGems) Mar 12, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database