Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,092
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

370 advisories

Loading
Concurrent Ruby : `AtomicReference#update` livelocks when the stored value is `Float::NAN` High
CVE-2026-54904 was published for concurrent-ruby (RubyGems) Jun 19, 2026
pranjalithakur Credited to pranjalithakur
Oj: Integer Overflow in Oj.load 2GB String Handling High
CVE-2026-54903 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback High
CVE-2026-54902 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking High
CVE-2026-54901 was published for oj (RubyGems) Jun 19, 2026
Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling High
CVE-2026-54900 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation High
CVE-2026-54898 was published for oj (RubyGems) Jun 19, 2026
Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close High
CVE-2026-54897 was published for oj (RubyGems) Jun 19, 2026
Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent High
CVE-2026-54896 was published for oj (RubyGems) Jun 19, 2026
Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input High
CVE-2026-54592 was published for oj (RubyGems) Jun 19, 2026
7a6163 Credited to 7a6163
Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters High
CVE-2026-54297 was published for faraday (RubyGems) Jun 19, 2026
kocaemre Credited to kocaemre
Oj: Stack Buffer Overflow in Oj.dump via Large Indent High
CVE-2026-54502 was published for oj (RubyGems) Jun 19, 2026
cla7aye15I4nd Credited to cla7aye15I4nd and yuhang-lab yuhang-lab yuhang-lab
Oj: Use-After-Free in Oj::Parser Symbol Key Cache Toggle High
CVE-2026-54899 was published for oj (RubyGems) Jun 19, 2026
AlchemyCMS: Unauthenticated nested page API leaks restricted & unpublished content High
GHSA-mqq5-j7w8-2hgh was published for alchemy_cms (RubyGems) Jun 19, 2026
Haxset Credited to Haxset
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections High
CVE-2026-47737 was published for puma (RubyGems) Jun 9, 2026
vxhex Credited to vxhex and nateberkopec nateberkopec nateberkopec
Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion High
CVE-2026-47736 was published for puma (RubyGems) Jun 8, 2026
Pirikara Credited to Pirikara
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351 High
CVE-2026-45363 was published for jwt (RubyGems) May 18, 2026
SnailSploit Credited to SnailSploit, perryn, evansalter, and canderson-activatecare perryn perryn
evansalter evansalter canderson-activatecare canderson-activatecare
katalyst-koi: Session cookies can be replayed after user logout High
CVE-2026-44511 was published for katalyst-koi (RubyGems) May 7, 2026
Nokogiri CSS selector tokenizer has regular expression backtracking High
GHSA-c4rq-3m3g-8wgx was published for nokogiri (RubyGems) May 6, 2026
colby-swandale Credited to colby-swandale and flavorjones flavorjones flavorjones
net-imap vulnerable to STARTTLS stripping via invalid response timing High
CVE-2026-42246 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
CVE-2026-42205 was published for avo (RubyGems) Apr 24, 2026
xIllunight Credited to xIllunight
ERB has an @_init deserialization guard bypass via def_module / def_method / def_class High
CVE-2026-41316 was published for erb (RubyGems) Apr 24, 2026
TristanInSec Credited to TristanInSec
OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence High
CVE-2026-42084 was published for openc3 (RubyGems) Apr 22, 2026
ctrlsill Credited to ctrlsill
Uncontrolled resource consumption and loop with unreachable exit condition in facil.io and downstream iodine ruby gem High
CVE-2026-41146 was published for iodine (RubyGems) Apr 14, 2026
michaelknap Credited to michaelknap
Decidim's comments API allows access to all commentable resources High
CVE-2026-40870 was published for decidim-api (RubyGems) Apr 14, 2026
ahukkanen Credited to ahukkanen
Decidim amendments can be accepted or rejected by anyone High
CVE-2026-40869 was published for decidim-core (RubyGems) Apr 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database