GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
483 advisories
Rack::Request accepts invalid Host characters, enabling host allowlist bypass
Moderate
CVE-2026-34835
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack has Content-Length mismatch in Rack::Files error responses
Moderate
CVE-2026-34831
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
Moderate
CVE-2026-34830
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory
Moderate
CVE-2026-34763
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Moderate
CVE-2026-34230
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Moderate
CVE-2026-32762
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values
Moderate
CVE-2026-26962
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
Moderate
CVE-2026-34826
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack:: Static header_rules bypass via URL-encoded paths
Moderate
CVE-2026-34786
was published
for
rack
(RubyGems)
Apr 2, 2026
iCalendar has ICS injection via unsanitized URI property values
Moderate
CVE-2026-33635
was published
for
icalendar
(RubyGems)
Mar 24, 2026
Avo has a XSS vulnerability on `return_to` param
Moderate
CVE-2026-33209
was published
for
avo
(RubyGems)
Mar 18, 2026
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
Moderate
CVE-2026-32700
was published
for
devise
(RubyGems)
Mar 17, 2026
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Moderate
CVE-2026-25500
was published
for
rack
(RubyGems)
Feb 17, 2026
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Moderate
CVE-2026-25765
was published
for
faraday
(RubyGems)
Feb 9, 2026
ProTip!
Advisories are also available from the
GraphQL API