GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
62 advisories
py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size
Moderate
CVE-2026-55195
was published
for
py7zr
(pip)
Jun 19, 2026
vLLM: OOM Denial of Service via Audio Decompression Bomb
Moderate
CVE-2026-54233
was published
for
vllm
(pip)
Jun 17, 2026
tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)
High
CVE-2026-49855
was published
for
tornado
(pip)
Jun 15, 2026
aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup
Moderate
CVE-2026-54278
was published
for
aiohttp
(pip)
Jun 15, 2026
NIOExtras: NIOHTTPRequestDecompressor ratio limit bypass via inflated Content-Length
Moderate
CVE-2026-28975
was published
for
github.com/apple/swift-nio-extras
(Swift)
Jun 12, 2026
Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend
Moderate
CVE-2026-44018
was published
for
docling
(pip)
Jun 3, 2026
ExifReader is vulnerable to denial of service via unbounded decompression of image metadata
Moderate
CVE-2026-8814
was published
for
exifreader
(npm)
May 29, 2026
CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression
Moderate
CVE-2026-44981
was published
for
github.com/crowdsecurity/crowdsec
(Go)
May 27, 2026
Klever-Go MultiDataInterceptor has remote OOM via crafted compressed P2P payload
High
CVE-2026-44697
was published
for
github.com/klever-io/klever-go
(Go)
May 13, 2026
urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
High
CVE-2026-44432
was published
for
urllib3
(pip)
May 11, 2026
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits
Moderate
CVE-2026-40148
was published
for
PraisonAI
(pip)
Apr 10, 2026
JWCrypto: JWE ZIP decompression bomb
Moderate
CVE-2026-39373
was published
for
jwcrypto
(pip)
Apr 8, 2026
PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS
Moderate
GHSA-vrqm-gvq7-rrwh
was published
for
@pdfme/pdf-lib
(npm)
Mar 20, 2026
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry
Moderate
CVE-2026-32630
was published
for
file-type
(npm)
Mar 13, 2026
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
High
CVE-2026-1526
was published
for
undici
(npm)
Mar 13, 2026
OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS)
Moderate
GHSA-77hf-7fqf-f227
was published
for
openclaw
(npm)
Mar 3, 2026
Sliver has Potential Zip Bomb Denial of Service in GzipEncoder
High
GHSA-2phg-qgmm-r638
was published
for
github.com/BishopFox/sliver
(Go)
Feb 25, 2026
ProTip!
Advisories are also available from the
GraphQL API