Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

519 advisories

Loading
Decidim: Push subscriptions can be abused for server-side requests Moderate
CVE-2026-45573 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: HTML content blocks allow stored script execution Moderate
CVE-2026-45572 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: CSV census record endpoints improper authorization Moderate
CVE-2026-45415 was published for decidim-verifications (RubyGems) Jul 13, 2026
Decidim: Private exports can be downloaded through reusable links Moderate
CVE-2026-45377 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: Admin user search allows SQL injection through similarity-based sorting Moderate
CVE-2026-45376 was published for decidim-admin (RubyGems) Jul 13, 2026
Decidim: Verification admins can access supplied IDs from other organizations Moderate
CVE-2026-45330 was published for decidim-verifications (RubyGems) Jul 13, 2026
Decidim: Forms admin question editor lacks authorization Moderate
CVE-2026-45086 was published for decidim-demographics (RubyGems) Jul 13, 2026
Excon does not redact additional sensitive/risky headers when following redirects Moderate
CVE-2026-54171 was published for excon (RubyGems) Jul 10, 2026
SnailSploit Credited to SnailSploit
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input Moderate
CVE-2026-54163 was published for secure_headers (RubyGems) Jul 10, 2026
tonghuaroot Credited to tonghuaroot
tarryGrain0 Credited to tarryGrain0 and Paul-Bob Paul-Bob Paul-Bob
Potential XSS vulnerability in jQuery Moderate
CVE-2020-11022 was published for athlon1600/youtube-downloader (RubyGems) Apr 29, 2020
masatokinugawa Credited to masatokinugawa, Churro, Rudloff, sealonohana, and Athlon1600 Churro Churro
Rudloff Rudloff sealonohana sealonohana Athlon1600 Athlon1600
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters Moderate
CVE-2026-44587 was published for carrierwave (RubyGems) May 27, 2026
snoopysecurity Credited to snoopysecurity and bilerden bilerden bilerden
Net::IMAP: Command Injection via ID command argument Moderate
CVE-2026-47242 was published for net-imap (RubyGems) Jun 9, 2026
nevans Credited to nevans
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument Moderate
CVE-2026-47240 was published for net-imap (RubyGems) Jun 9, 2026
nevans Credited to nevans
YARD static cache reads raw traversal paths before router sanitization Moderate
CVE-2026-49342 was published for yard (RubyGems) Jun 26, 2026
hibrian827 Credited to hibrian827
fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry` Moderate
CVE-2026-44163 was published for fluent-plugin-opentelemetry (RubyGems) Jun 26, 2026
Oj: intern.c form_attr (uninitialized stack read) Moderate
CVE-2026-54500 was published for oj (RubyGems) Jun 19, 2026
7a6163 Credited to 7a6163
Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]` Moderate
GHSA-5prr-v3j2-97mh was published for nokogiri (RubyGems) Jun 19, 2026
cla7aye15I4nd Credited to cla7aye15I4nd
katello: missing repository authorization in content_uploads exposes cross-product content existence Moderate
CVE-2026-12515 was published for katello (RubyGems) Jun 17, 2026
net-imap vulnerable to command Injection via "raw" arguments to multiple commands Moderate
CVE-2026-42257 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio and nevans nevans nevans
Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret Moderate
CVE-2026-44476 was published for doorkeeper-openid_connect (RubyGems) Jun 4, 2026
55728 Credited to 55728
Uninitialized read in Nokogiri gem Moderate
CVE-2019-13117 was published for nokogiri (RubyGems) May 24, 2022
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape Moderate
CVE-2026-44837 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
view_component: Preview Route Can Dispatch Inherited Helper Methods Moderate
CVE-2026-44836 was published for view_component (RubyGems) May 8, 2026
cyberlanc3r Credited to cyberlanc3r
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content Moderate
CVE-2026-44312 was published for css_parser (RubyGems) May 7, 2026
JLLeitschuh Credited to JLLeitschuh
ProTip! Advisories are also available from the GraphQL API