Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
38
Go
2,880
Maven
5,000+
npm
4,518
NuGet
784
pip
4,260
Pub
12
RubyGems
975
Rust
1,105
Swift
49
Unreviewed advisories
All unreviewed
5,000+

975 advisories

Loading
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper Moderate
CVE-2026-23885 was published for alchemy_cms (RubyGems) Jan 21, 2026
TheDeepOpc tvdeyen
Credited to TheDeepOpc and tvdeyen
Active Job - Object injection security vulnerability Moderate
GHSA-mpwp-4h2m-765c was published for activejob (RubyGems) Jan 16, 2026
ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection High
GHSA-5qw5-wf2q-f538 was published for activerecord-jdbc-adapter (RubyGems) Jan 16, 2026
openc3-api Vulnerable to Unauthenticated Remote Code Execution Critical
CVE-2025-68271 was published for openc3 (RubyGems) Jan 13, 2026
GhostPowerShell
Credited to GhostPowerShell
Spree API has Unauthenticated IDOR - Guest Address High
CVE-2026-22589 was published for spree_core (RubyGems) Jan 8, 2026
Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification Moderate
CVE-2026-22588 was published for spree_api (RubyGems) Jan 8, 2026
Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles High
GHSA-96qw-h329-v5rg was published for shakapacker (RubyGems) Jan 8, 2026
Trix has a stored XSS vulnerability through its attachment attribute Moderate
GHSA-g9jg-w8vm-g96v was published for action_text-trix (RubyGems) Dec 31, 2025
URI Credential Leakage Bypass over CVE-2025-27221 Low
CVE-2025-61594 was published for uri (RubyGems) Dec 30, 2025
httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage High
CVE-2025-68696 was published for httparty (RubyGems) Dec 23, 2025
lambdasawa ashkulz
Credited to lambdasawa and ashkulz
AWS SDK for Ruby's S3 Encryption Client has a Key Commitment Issue Moderate
CVE-2025-14762 was published for aws-sdk-s3 (RubyGems) Dec 18, 2025
ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay Moderate
CVE-2025-68113 was published for altcha (RubyGems) Dec 16, 2025
eternal-flame-AD
Credited to eternal-flame-AD
Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation Critical
CVE-2025-66568 was published for ruby-saml (RubyGems) Dec 8, 2025
d0ge
Credited to d0ge
Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential) Critical
CVE-2025-66567 was published for ruby-saml (RubyGems) Dec 8, 2025
d0ge
Credited to d0ge
Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
GHSA-4249-gjr8-jpq3 was published for prosemirror_to_html (RubyGems) Nov 13, 2025 withdrawn
Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
GHSA-vfpf-xmwh-8m65 was published for prosemirror_to_html (RubyGems) Nov 7, 2025 withdrawn
MQTT does not validate hostnames High
CVE-2025-12790 was published for mqtt (RubyGems) Nov 6, 2025
Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
CVE-2025-64501 was published for prosemirror_to_html (RubyGems) Nov 6, 2025
polypixeldev Luke-Oldenburg
Spone 9021007
Credited to polypixeldev, Luke-Oldenburg, Spone, and 9021007
Sinatra is vulnerable to ReDoS through ETag header value generation Low
CVE-2025-61921 was published for sinatra (RubyGems) Oct 10, 2025
dentarg
Credited to dentarg
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing High
CVE-2025-61919 was published for rack (RubyGems) Oct 10, 2025
Pirikara jeremyevans
ioquatix
Credited to Pirikara, jeremyevans, and ioquatix
Rack has a Possible Information Disclosure Vulnerability Moderate
CVE-2025-61780 was published for rack (RubyGems) Oct 10, 2025
leahneukirchen jeremyevans
matthewd ioquatix
Credited to leahneukirchen, jeremyevans, matthewd, and ioquatix
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion) High
CVE-2025-61772 was published for rack (RubyGems) Oct 7, 2025
kwkr jeremyevans
ioquatix
Credited to kwkr, jeremyevans, and ioquatix
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion) High
CVE-2025-61771 was published for rack (RubyGems) Oct 7, 2025
kwkr jeremyevans
ioquatix
Credited to kwkr, jeremyevans, and ioquatix
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion) High
CVE-2025-61770 was published for rack (RubyGems) Oct 7, 2025
kwkr ioquatix
jeremyevans
Credited to kwkr, ioquatix, and jeremyevans
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters High
CVE-2025-59830 was published for rack (RubyGems) Sep 25, 2025
kwkr jeremyevans
ioquatix
Credited to kwkr, jeremyevans, and ioquatix
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database