GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,116 advisories
Filter by severity
Decidim: Push subscriptions can be abused for server-side requests
Moderate
CVE-2026-45573
was published
for
decidim-core
(RubyGems)
Jul 13, 2026
Decidim: HTML content blocks allow stored script execution
Moderate
CVE-2026-45572
was published
for
decidim-core
(RubyGems)
Jul 13, 2026
Decidim: CSV census record endpoints improper authorization
Moderate
CVE-2026-45415
was published
for
decidim-verifications
(RubyGems)
Jul 13, 2026
Decidim: JWT-backed authentication can be replayed across organizations
High
CVE-2026-45414
was published
for
decidim
(RubyGems)
Jul 13, 2026
Decidim: Verification documents can be downloaded through reusable links
High
CVE-2026-45378
was published
for
decidim-verifications
(RubyGems)
Jul 13, 2026
Decidim: Private exports can be downloaded through reusable links
Moderate
CVE-2026-45377
was published
for
decidim-core
(RubyGems)
Jul 13, 2026
Decidim: Admin user search allows SQL injection through similarity-based sorting
Moderate
CVE-2026-45376
was published
for
decidim-admin
(RubyGems)
Jul 13, 2026
Decidim: Verification admins can access supplied IDs from other organizations
Moderate
CVE-2026-45330
was published
for
decidim-verifications
(RubyGems)
Jul 13, 2026
Decidim: Forms admin question editor lacks authorization
Moderate
CVE-2026-45086
was published
for
decidim-demographics
(RubyGems)
Jul 13, 2026
Excon does not redact additional sensitive/risky headers when following redirects
Moderate
CVE-2026-54171
was published
for
excon
(RubyGems)
Jul 10, 2026
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
Moderate
CVE-2026-54163
was published
for
secure_headers
(RubyGems)
Jul 10, 2026
Avo: Direct attachment upload endpoint lacks upload authorization and bypasses field-level upload policy
Moderate
CVE-2026-53769
was published
for
avo
(RubyGems)
Jul 9, 2026
Potential XSS vulnerability in jQuery
Moderate
CVE-2020-11022
was published
for
athlon1600/youtube-downloader
(RubyGems)
Apr 29, 2020
Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`
High
CVE-2026-53727
was published
for
css_parser
(RubyGems)
Jul 9, 2026
CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters
Moderate
CVE-2026-44587
was published
for
carrierwave
(RubyGems)
May 27, 2026
JMESPath for Ruby uses unsafe JSON.load when safe JSON.parse is preferable
Critical
CVE-2022-32511
was published
for
jmespath
(RubyGems)
Jun 7, 2022
Net::IMAP: Command Injection via ID command argument
Moderate
CVE-2026-47242
was published
for
net-imap
(RubyGems)
Jun 9, 2026
Net::IMAP: Denial of Service via incomplete raw argument validation
Low
CVE-2026-47241
was published
for
net-imap
(RubyGems)
Jun 9, 2026
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Moderate
CVE-2026-47240
was published
for
net-imap
(RubyGems)
Jun 9, 2026
pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier
High
GHSA-mjgf-xj26-9qf9
was published
for
pay
(RubyGems)
Jul 1, 2026
Publify Vulnerable To Cross-Site Scripting (XSS) Via Redirects Requiring User Interaction
Low
CVE-2024-39311
was published
for
publify_core
(RubyGems)
Mar 28, 2025
YARD static cache reads raw traversal paths before router sanitization
Moderate
CVE-2026-49342
was published
for
yard
(RubyGems)
Jun 26, 2026
Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters
High
CVE-2026-54297
was published
for
faraday
(RubyGems)
Jun 19, 2026
fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry`
Moderate
CVE-2026-44163
was published
for
fluent-plugin-opentelemetry
(RubyGems)
Jun 26, 2026
fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`
Low
CVE-2026-44162
was published
for
fluent-plugin-s3
(RubyGems)
Jun 26, 2026
ProTip!
Advisories are also available from the
GraphQL API