Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

130 advisories

Loading
JMESPath for Ruby uses unsafe JSON.load when safe JSON.parse is preferable Critical
CVE-2022-32511 was published for jmespath (RubyGems) Jun 7, 2022
plygrnd Credited to plygrnd and tdunlap607 tdunlap607 tdunlap607
Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder Critical
CVE-2026-44024 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
xIllunight Credited to xIllunight and Paul-Bob Paul-Bob Paul-Bob
Nokogiri vulnerable to libxslt protection mechanism bypass Critical
CVE-2019-11068 was published for nokogiri (RubyGems) May 13, 2022
OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database Critical
CVE-2026-42087 was published for openc3 (RubyGems) Apr 23, 2026
suffs811 Credited to suffs811
sm1ee Credited to sm1ee, ioquatix, and jeremyevans ioquatix ioquatix
jeremyevans jeremyevans
Decidim has a cross-site scripting (XSS) in user name Critical
CVE-2026-23891 was published for decidim-core (RubyGems) Apr 13, 2026
cyberschnaps Credited to cyberschnaps
Active Record RCE bug with Serialized Columns Critical
CVE-2022-32224 was published for activerecord (RubyGems) Jul 12, 2022
OpenC3 COSMOS: Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool Critical
GHSA-2wvh-87g2-89hr was published for openc3 (RubyGems) Apr 23, 2026
suffs811 Credited to suffs811
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names Critical
CVE-2026-33286 was published for graphiti (RubyGems) Mar 20, 2026
doublevoid Credited to doublevoid and simonrand simonrand simonrand
Katello uses hard coded credential Critical
CVE-2012-3503 was published for katello (RubyGems) May 17, 2022
postmodern Credited to postmodern
Active Record component in Ruby on Rails has a data-type injection vulnerability Critical
CVE-2013-3221 was published for activerecord (RubyGems) May 14, 2022
Active Storage allowed transformation methods that were potentially unsafe Critical
CVE-2025-24293 was published for activestorage (RubyGems) Aug 14, 2025
th4s1s Credited to th4s1s
openc3-api Vulnerable to Unauthenticated Remote Code Execution Critical
CVE-2025-68271 was published for openc3 (RubyGems) Jan 13, 2026
GhostPowerShell Credited to GhostPowerShell
Spree has Remote Command Execution vulnerability in search functionality Critical
CVE-2011-10019 was published for spree (RubyGems) Aug 13, 2025
Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential) Critical
CVE-2025-66567 was published for ruby-saml (RubyGems) Dec 8, 2025
d0ge Credited to d0ge
Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation Critical
CVE-2025-66568 was published for ruby-saml (RubyGems) Dec 8, 2025
d0ge Credited to d0ge
Spree Commerce is vulnerable to RCE through Search API Critical
CVE-2011-10026 was published for rd_searchlogic (RubyGems) Aug 20, 2025
StringIO buffer overread vulnerability Critical
CVE-2024-27280 was published for stringio (RubyGems) Mar 25, 2024
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential) Critical
CVE-2025-25292 was published for ruby-saml (RubyGems) Mar 12, 2025
p- Credited to p-
graphql allows remote code execution when loading a crafted GraphQL schema Critical
CVE-2025-27407 was published for graphql (RubyGems) Mar 12, 2025
yvvdwf Credited to yvvdwf, rmosolgo, joernchen, and adarshan-gl rmosolgo rmosolgo
joernchen joernchen adarshan-gl adarshan-gl
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential) Critical
CVE-2025-25291 was published for ruby-saml (RubyGems) Mar 12, 2025
ahacker1-securesaml Credited to ahacker1-securesaml
OpenC3 COSMOS Vulnerable to Directory Traversal via /script-api/scripts/ endpoint Critical
CVE-2025-28384 was published for openc3-cosmos-tool-iframe (RubyGems) Jun 13, 2025
Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class Critical
CVE-2025-53623 was published for job-iteration (RubyGems) Jul 14, 2025
calysteon Credited to calysteon and yehuda-alt yehuda-alt yehuda-alt
Prototype Pollution in lodash Critical
CVE-2019-10744 was published for lodash (RubyGems) Jul 10, 2019
G-Rath Credited to G-Rath
ProTip! Advisories are also available from the GraphQL API