Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,116 advisories

Loading
Decidim: Push subscriptions can be abused for server-side requests Moderate
CVE-2026-45573 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: HTML content blocks allow stored script execution Moderate
CVE-2026-45572 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: CSV census record endpoints improper authorization Moderate
CVE-2026-45415 was published for decidim-verifications (RubyGems) Jul 13, 2026
Decidim: JWT-backed authentication can be replayed across organizations High
CVE-2026-45414 was published for decidim (RubyGems) Jul 13, 2026
Decidim: Verification documents can be downloaded through reusable links High
CVE-2026-45378 was published for decidim-verifications (RubyGems) Jul 13, 2026
andreslucena Credited to andreslucena
Decidim: Private exports can be downloaded through reusable links Moderate
CVE-2026-45377 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: Admin user search allows SQL injection through similarity-based sorting Moderate
CVE-2026-45376 was published for decidim-admin (RubyGems) Jul 13, 2026
Decidim: Verification admins can access supplied IDs from other organizations Moderate
CVE-2026-45330 was published for decidim-verifications (RubyGems) Jul 13, 2026
Decidim: Forms admin question editor lacks authorization Moderate
CVE-2026-45086 was published for decidim-demographics (RubyGems) Jul 13, 2026
Excon does not redact additional sensitive/risky headers when following redirects Moderate
CVE-2026-54171 was published for excon (RubyGems) Jul 10, 2026
SnailSploit Credited to SnailSploit
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input Moderate
CVE-2026-54163 was published for secure_headers (RubyGems) Jul 10, 2026
tonghuaroot Credited to tonghuaroot
tarryGrain0 Credited to tarryGrain0 and Paul-Bob Paul-Bob Paul-Bob
Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file` High
CVE-2026-53727 was published for css_parser (RubyGems) Jul 9, 2026
JLLeitschuh Credited to JLLeitschuh
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier High
GHSA-mjgf-xj26-9qf9 was published for pay (RubyGems) Jul 1, 2026
tonghuaroot Credited to tonghuaroot
YARD static cache reads raw traversal paths before router sanitization Moderate
CVE-2026-49342 was published for yard (RubyGems) Jun 26, 2026
hibrian827 Credited to hibrian827
fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry` Moderate
CVE-2026-44163 was published for fluent-plugin-opentelemetry (RubyGems) Jun 26, 2026
fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3` Low
CVE-2026-44162 was published for fluent-plugin-s3 (RubyGems) Jun 26, 2026
Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http` High
CVE-2026-44161 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
everping Credited to everping
Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API High
CVE-2026-44025 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder Critical
CVE-2026-44024 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
Concurrent Ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption Low
CVE-2026-54906 was published for concurrent-ruby (RubyGems) Jun 19, 2026
pranjalithakur Credited to pranjalithakur
Concurrent Ruby: `ReentrantReadWriteLock` read-count overflow grants a write lock without exclusivity Low
CVE-2026-54905 was published for concurrent-ruby (RubyGems) Jun 19, 2026
pranjalithakur Credited to pranjalithakur
Concurrent Ruby : `AtomicReference#update` livelocks when the stored value is `Float::NAN` High
CVE-2026-54904 was published for concurrent-ruby (RubyGems) Jun 19, 2026
pranjalithakur Credited to pranjalithakur
Oj: Integer Overflow in Oj.load 2GB String Handling High
CVE-2026-54903 was published for oj (RubyGems) Jun 19, 2026
ProTip! Advisories are also available from the GraphQL API