GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
130 advisories
Filter by severity
JMESPath for Ruby uses unsafe JSON.load when safe JSON.parse is preferable
Critical
CVE-2022-32511
was published
for
jmespath
(RubyGems)
Jun 7, 2022
Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder
Critical
CVE-2026-44024
was published
for
fluentd
(RubyGems)
Jun 26, 2026
Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation
Critical
CVE-2026-55518
was published
for
avo
(RubyGems)
Jun 17, 2026
Nokogiri vulnerable to libxslt protection mechanism bypass
Critical
CVE-2019-11068
was published
for
nokogiri
(RubyGems)
May 13, 2022
OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database
Critical
CVE-2026-42087
was published
for
openc3
(RubyGems)
Apr 23, 2026
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
Critical
CVE-2026-39324
was published
for
rack-session
(RubyGems)
Apr 8, 2026
Decidim has a cross-site scripting (XSS) in user name
Critical
CVE-2026-23891
was published
for
decidim-core
(RubyGems)
Apr 13, 2026
Active Record RCE bug with Serialized Columns
Critical
CVE-2022-32224
was published
for
activerecord
(RubyGems)
Jul 12, 2022
OpenC3 COSMOS: Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool
Critical
GHSA-2wvh-87g2-89hr
was published
for
openc3
(RubyGems)
Apr 23, 2026
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names
Critical
CVE-2026-33286
was published
for
graphiti
(RubyGems)
Mar 20, 2026
Katello uses hard coded credential
Critical
CVE-2012-3503
was published
for
katello
(RubyGems)
May 17, 2022
Active Record component in Ruby on Rails has a data-type injection vulnerability
Critical
CVE-2013-3221
was published
for
activerecord
(RubyGems)
May 14, 2022
Active Storage allowed transformation methods that were potentially unsafe
Critical
CVE-2025-24293
was published
for
activestorage
(RubyGems)
Aug 14, 2025
openc3-api Vulnerable to Unauthenticated Remote Code Execution
Critical
CVE-2025-68271
was published
for
openc3
(RubyGems)
Jan 13, 2026
Spree has Remote Command Execution vulnerability in search functionality
Critical
CVE-2011-10019
was published
for
spree
(RubyGems)
Aug 13, 2025
Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)
Critical
CVE-2025-66567
was published
for
ruby-saml
(RubyGems)
Dec 8, 2025
Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation
Critical
CVE-2025-66568
was published
for
ruby-saml
(RubyGems)
Dec 8, 2025
Spree Commerce is vulnerable to RCE through Search API
Critical
CVE-2011-10026
was published
for
rd_searchlogic
(RubyGems)
Aug 20, 2025
StringIO buffer overread vulnerability
Critical
CVE-2024-27280
was published
for
stringio
(RubyGems)
Mar 25, 2024
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)
Critical
CVE-2025-25292
was published
for
ruby-saml
(RubyGems)
Mar 12, 2025
graphql allows remote code execution when loading a crafted GraphQL schema
Critical
CVE-2025-27407
was published
for
graphql
(RubyGems)
Mar 12, 2025
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)
Critical
CVE-2025-25291
was published
for
ruby-saml
(RubyGems)
Mar 12, 2025
OpenC3 COSMOS Vulnerable to Directory Traversal via /script-api/scripts/ endpoint
Critical
CVE-2025-28384
was published
for
openc3-cosmos-tool-iframe
(RubyGems)
Jun 13, 2025
Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class
Critical
CVE-2025-53623
was published
for
job-iteration
(RubyGems)
Jul 14, 2025
Prototype Pollution in lodash
Critical
CVE-2019-10744
was published
for
lodash
(RubyGems)
Jul 10, 2019
ProTip!
Advisories are also available from the
GraphQL API