Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,164
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,458
Pub
12
RubyGems
991
Rust
1,184
Swift
50
Unreviewed advisories
All unreviewed
5,000+

991 advisories

Loading
AWS SDK for Ruby's S3 Encryption Client has a Key Commitment Issue Moderate
CVE-2025-14762 was published for aws-sdk-s3 (RubyGems) Dec 18, 2025
ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay Moderate
CVE-2025-68113 was published for altcha (RubyGems) Dec 16, 2025
eternal-flame-AD Credited to eternal-flame-AD
Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation Critical
CVE-2025-66568 was published for ruby-saml (RubyGems) Dec 8, 2025
d0ge Credited to d0ge
Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential) Critical
CVE-2025-66567 was published for ruby-saml (RubyGems) Dec 8, 2025
d0ge Credited to d0ge
Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
GHSA-4249-gjr8-jpq3 was published for prosemirror_to_html (RubyGems) Nov 13, 2025 withdrawn
Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
GHSA-vfpf-xmwh-8m65 was published for prosemirror_to_html (RubyGems) Nov 7, 2025 withdrawn
MQTT does not validate hostnames High
CVE-2025-12790 was published for mqtt (RubyGems) Nov 6, 2025
Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
CVE-2025-64501 was published for prosemirror_to_html (RubyGems) Nov 6, 2025
polypixeldev Credited to polypixeldev, Luke-Oldenburg, Spone, and 9021007 Luke-Oldenburg Luke-Oldenburg
Spone Spone 9021007 9021007
Sinatra is vulnerable to ReDoS through ETag header value generation Low
CVE-2025-61921 was published for sinatra (RubyGems) Oct 10, 2025
dentarg Credited to dentarg
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing High
CVE-2025-61919 was published for rack (RubyGems) Oct 10, 2025
Pirikara Credited to Pirikara, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack has a Possible Information Disclosure Vulnerability Moderate
CVE-2025-61780 was published for rack (RubyGems) Oct 10, 2025
leahneukirchen Credited to leahneukirchen, jeremyevans, matthewd, and ioquatix jeremyevans jeremyevans
matthewd matthewd ioquatix ioquatix
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion) High
CVE-2025-61772 was published for rack (RubyGems) Oct 7, 2025
kwkr Credited to kwkr, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion) High
CVE-2025-61771 was published for rack (RubyGems) Oct 7, 2025
kwkr Credited to kwkr, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion) High
CVE-2025-61770 was published for rack (RubyGems) Oct 7, 2025
kwkr Credited to kwkr, ioquatix, and jeremyevans ioquatix ioquatix
jeremyevans jeremyevans
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters High
CVE-2025-59830 was published for rack (RubyGems) Sep 25, 2025
kwkr Credited to kwkr, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
REXML has DoS condition when parsing malformed XML file Low
CVE-2025-58767 was published for rexml (RubyGems) Sep 17, 2025
sofiaaberegg Credited to sofiaaberegg
Google Sign-In for Rails allowed redirect to protocol-relative URI Moderate
CVE-2025-58067 was published for google_sign_in (RubyGems) Aug 29, 2025
Google Sign-In for Rails allowed redirects to malformed URLs Moderate
CVE-2025-57821 was published for google_sign_in (RubyGems) Aug 27, 2025
Muntrive Credited to Muntrive
Spree Commerce is vulnerable to RCE through Search API Critical
CVE-2011-10026 was published for rd_searchlogic (RubyGems) Aug 20, 2025
Active Storage allowed transformation methods that were potentially unsafe Critical
CVE-2025-24293 was published for activestorage (RubyGems) Aug 14, 2025
th4s1s Credited to th4s1s
Active Record logging vulnerable to ANSI escape injection Moderate
CVE-2025-55193 was published for activerecord (RubyGems) Aug 13, 2025
th4s1s Credited to th4s1s
Spree has Remote Command Execution vulnerability in search functionality Critical
CVE-2011-10019 was published for spree (RubyGems) Aug 13, 2025
JWE is missing AES-GCM authentication tag validation in encrypted JWE Critical
CVE-2025-54887 was published for jwe (RubyGems) Aug 7, 2025
Sideni Credited to Sideni
Ruby SAML DOS vulnerability with large SAML response Moderate
CVE-2025-54572 was published for ruby-saml (RubyGems) Jul 30, 2025
Yuuki77 Credited to Yuuki77 and dblessing dblessing dblessing
Nokogiri patches vendored libxml2 to resolve multiple CVEs Critical
GHSA-353f-x4gh-cqq8 was published for nokogiri (RubyGems) Jul 21, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database