Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,116 advisories

Loading
Decidim: Push subscriptions can be abused for server-side requests Moderate
CVE-2026-45573 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: HTML content blocks allow stored script execution Moderate
CVE-2026-45572 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: CSV census record endpoints improper authorization Moderate
CVE-2026-45415 was published for decidim-verifications (RubyGems) Jul 13, 2026
Decidim: JWT-backed authentication can be replayed across organizations High
CVE-2026-45414 was published for decidim (RubyGems) Jul 13, 2026
Decidim: Verification documents can be downloaded through reusable links High
CVE-2026-45378 was published for decidim-verifications (RubyGems) Jul 13, 2026
andreslucena Credited to andreslucena
Decidim: Private exports can be downloaded through reusable links Moderate
CVE-2026-45377 was published for decidim-core (RubyGems) Jul 13, 2026
Decidim: Admin user search allows SQL injection through similarity-based sorting Moderate
CVE-2026-45376 was published for decidim-admin (RubyGems) Jul 13, 2026
Decidim: Verification admins can access supplied IDs from other organizations Moderate
CVE-2026-45330 was published for decidim-verifications (RubyGems) Jul 13, 2026
Decidim: Forms admin question editor lacks authorization Moderate
CVE-2026-45086 was published for decidim-demographics (RubyGems) Jul 13, 2026
Excon does not redact additional sensitive/risky headers when following redirects Moderate
CVE-2026-54171 was published for excon (RubyGems) Jul 10, 2026
SnailSploit Credited to SnailSploit
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input Moderate
CVE-2026-54163 was published for secure_headers (RubyGems) Jul 10, 2026
tonghuaroot Credited to tonghuaroot
tarryGrain0 Credited to tarryGrain0 and Paul-Bob Paul-Bob Paul-Bob
Potential XSS vulnerability in jQuery Moderate
CVE-2020-11022 was published for athlon1600/youtube-downloader (RubyGems) Apr 29, 2020
masatokinugawa Credited to masatokinugawa, Churro, Rudloff, sealonohana, and Athlon1600 Churro Churro
Rudloff Rudloff sealonohana sealonohana Athlon1600 Athlon1600
Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file` High
CVE-2026-53727 was published for css_parser (RubyGems) Jul 9, 2026
JLLeitschuh Credited to JLLeitschuh
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters Moderate
CVE-2026-44587 was published for carrierwave (RubyGems) May 27, 2026
snoopysecurity Credited to snoopysecurity and bilerden bilerden bilerden
JMESPath for Ruby uses unsafe JSON.load when safe JSON.parse is preferable Critical
CVE-2022-32511 was published for jmespath (RubyGems) Jun 7, 2022
plygrnd Credited to plygrnd and tdunlap607 tdunlap607 tdunlap607
Net::IMAP: Command Injection via ID command argument Moderate
CVE-2026-47242 was published for net-imap (RubyGems) Jun 9, 2026
nevans Credited to nevans
Net::IMAP: Denial of Service via incomplete raw argument validation Low
CVE-2026-47241 was published for net-imap (RubyGems) Jun 9, 2026
fg0x0 Credited to fg0x0
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument Moderate
CVE-2026-47240 was published for net-imap (RubyGems) Jun 9, 2026
nevans Credited to nevans
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier High
GHSA-mjgf-xj26-9qf9 was published for pay (RubyGems) Jul 1, 2026
tonghuaroot Credited to tonghuaroot
Publify Vulnerable To Cross-Site Scripting (XSS) Via Redirects Requiring User Interaction Low
CVE-2024-39311 was published for publify_core (RubyGems) Mar 28, 2025
PinkDraconian Credited to PinkDraconian
YARD static cache reads raw traversal paths before router sanitization Moderate
CVE-2026-49342 was published for yard (RubyGems) Jun 26, 2026
hibrian827 Credited to hibrian827
kocaemre Credited to kocaemre, G-Rath, iBotPeaches, Starfox64, sfriedman-cape, and maikelvdh G-Rath G-Rath
iBotPeaches iBotPeaches Starfox64 Starfox64 sfriedman-cape sfriedman-cape maikelvdh maikelvdh
fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry` Moderate
CVE-2026-44163 was published for fluent-plugin-opentelemetry (RubyGems) Jun 26, 2026
fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3` Low
CVE-2026-44162 was published for fluent-plugin-s3 (RubyGems) Jun 26, 2026
ProTip! Advisories are also available from the GraphQL API