GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
519 advisories
Filter by severity
Decidim: Push subscriptions can be abused for server-side requests
Moderate
CVE-2026-45573
was published
for
decidim-core
(RubyGems)
Jul 13, 2026
Decidim: HTML content blocks allow stored script execution
Moderate
CVE-2026-45572
was published
for
decidim-core
(RubyGems)
Jul 13, 2026
Decidim: CSV census record endpoints improper authorization
Moderate
CVE-2026-45415
was published
for
decidim-verifications
(RubyGems)
Jul 13, 2026
Decidim: Private exports can be downloaded through reusable links
Moderate
CVE-2026-45377
was published
for
decidim-core
(RubyGems)
Jul 13, 2026
Decidim: Admin user search allows SQL injection through similarity-based sorting
Moderate
CVE-2026-45376
was published
for
decidim-admin
(RubyGems)
Jul 13, 2026
Decidim: Verification admins can access supplied IDs from other organizations
Moderate
CVE-2026-45330
was published
for
decidim-verifications
(RubyGems)
Jul 13, 2026
Decidim: Forms admin question editor lacks authorization
Moderate
CVE-2026-45086
was published
for
decidim-demographics
(RubyGems)
Jul 13, 2026
Excon does not redact additional sensitive/risky headers when following redirects
Moderate
CVE-2026-54171
was published
for
excon
(RubyGems)
Jul 10, 2026
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
Moderate
CVE-2026-54163
was published
for
secure_headers
(RubyGems)
Jul 10, 2026
Avo: Direct attachment upload endpoint lacks upload authorization and bypasses field-level upload policy
Moderate
CVE-2026-53769
was published
for
avo
(RubyGems)
Jul 9, 2026
Potential XSS vulnerability in jQuery
Moderate
CVE-2020-11022
was published
for
athlon1600/youtube-downloader
(RubyGems)
Apr 29, 2020
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters
Moderate
CVE-2026-44587
was published
for
carrierwave
(RubyGems)
May 27, 2026
Net::IMAP: Command Injection via ID command argument
Moderate
CVE-2026-47242
was published
for
net-imap
(RubyGems)
Jun 9, 2026
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Moderate
CVE-2026-47240
was published
for
net-imap
(RubyGems)
Jun 9, 2026
YARD static cache reads raw traversal paths before router sanitization
Moderate
CVE-2026-49342
was published
for
yard
(RubyGems)
Jun 26, 2026
fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry`
Moderate
CVE-2026-44163
was published
for
fluent-plugin-opentelemetry
(RubyGems)
Jun 26, 2026
Oj: intern.c form_attr (uninitialized stack read)
Moderate
CVE-2026-54500
was published
for
oj
(RubyGems)
Jun 19, 2026
Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]`
Moderate
GHSA-5prr-v3j2-97mh
was published
for
nokogiri
(RubyGems)
Jun 19, 2026
katello: missing repository authorization in content_uploads exposes cross-product content existence
Moderate
CVE-2026-12515
was published
for
katello
(RubyGems)
Jun 17, 2026
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Moderate
CVE-2026-42257
was published
for
net-imap
(RubyGems)
May 4, 2026
Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret
Moderate
CVE-2026-44476
was published
for
doorkeeper-openid_connect
(RubyGems)
Jun 4, 2026
Uninitialized read in Nokogiri gem
Moderate
CVE-2019-13117
was published
for
nokogiri
(RubyGems)
May 24, 2022
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape
Moderate
CVE-2026-44837
was published
for
view_component
(RubyGems)
May 8, 2026
view_component: Preview Route Can Dispatch Inherited Helper Methods
Moderate
CVE-2026-44836
was published
for
view_component
(RubyGems)
May 8, 2026
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content
Moderate
CVE-2026-44312
was published
for
css_parser
(RubyGems)
May 7, 2026
ProTip!
Advisories are also available from the
GraphQL API