Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,974
Maven
5,000+
npm
4,621
NuGet
788
pip
4,317
Pub
12
RubyGems
984
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

984 advisories

Loading
Unauthenticated Spree Commerce users can view completed guest orders by Order ID High
CVE-2026-25757 was published for spree_storefront (RubyGems) Feb 5, 2026
p-
Credited to p-
Unauthenticated Spree Commerce users can access all guest addresses High
CVE-2026-25758 was published for spree_api (RubyGems) Feb 5, 2026
p-
Credited to p-
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url Moderate
CVE-2026-25765 was published for faraday (RubyGems) Feb 9, 2026
theamanrawat neo-ai-engineer
Credited to theamanrawat and neo-ai-engineer
Bitcoinrb Vulnerable to Command injection via RPC Low
GHSA-q66h-m87m-j2q6 was published for bitcoinrb (RubyGems) Feb 10, 2026
Decidim's private data exports can lead to data leaks High
CVE-2025-65017 was published for decidim (RubyGems) Feb 3, 2026
ahukkanen
Credited to ahukkanen
Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values High
GHSA-w67g-2h6v-vjgq was published for phlex (RubyGems) Feb 6, 2026
fog-kubevirt allows remote attacker to perform MITM attack due to disabled certificate validation High
CVE-2026-1530 was published for fog-kubevirt (RubyGems) Feb 2, 2026
foreman_kubevirt disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set High
CVE-2026-1531 was published for foreman_kubevirt (RubyGems) Feb 2, 2026
Active Record component in Ruby on Rails has a data-type injection vulnerability Critical
CVE-2013-3221 was published for activerecord (RubyGems) May 14, 2022
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper Moderate
CVE-2026-23885 was published for alchemy_cms (RubyGems) Jan 21, 2026
TheDeepOpc tvdeyen
Credited to TheDeepOpc and tvdeyen
Active Storage allowed transformation methods that were potentially unsafe Critical
CVE-2025-24293 was published for activestorage (RubyGems) Aug 14, 2025
th4s1s
Credited to th4s1s
Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
GHSA-4249-gjr8-jpq3 was published for prosemirror_to_html (RubyGems) Nov 13, 2025 withdrawn
Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values High
CVE-2025-64501 was published for prosemirror_to_html (RubyGems) Nov 6, 2025
polypixeldev Luke-Oldenburg
Spone 9021007
Credited to polypixeldev, Luke-Oldenburg, Spone, and 9021007
JRuby-OpenSSL has hostname verification disabled by default Moderate
CVE-2025-46551 was published for jruby-openssl (RubyGems) May 7, 2025
mohamedhafez
Credited to mohamedhafez
ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection High
GHSA-5qw5-wf2q-f538 was published for activerecord-jdbc-adapter (RubyGems) Jan 16, 2026
Active Job - Object injection security vulnerability Moderate
GHSA-mpwp-4h2m-765c was published for activejob (RubyGems) Jan 16, 2026
Cross Site Scripting (XSS) Vulnerability in Fetlife rollout-ui gem Moderate
CVE-2023-25309 was published for rollout-ui (RubyGems) May 11, 2023
Denial of Service Vulnerability in ActiveRecord's PostgreSQL adapter High
CVE-2022-44566 was published for activerecord (RubyGems) Jan 18, 2023
robertoz-01 aviyam181199
G-Rath RDIL
Credited to robertoz-01, aviyam181199, G-Rath, and RDIL
openc3-api Vulnerable to Unauthenticated Remote Code Execution Critical
CVE-2025-68271 was published for openc3 (RubyGems) Jan 13, 2026
GhostPowerShell
Credited to GhostPowerShell
jquery-rails and jquery-ujs subject to Exposure of Sensitive Information Moderate
CVE-2015-1840 was published for jquery-rails (RubyGems) Oct 24, 2017
jQuery vulnerable to Cross-Site Scripting (XSS) Moderate
CVE-2011-4969 was published for jQuery (RubyGems) May 14, 2022
jhutchings1 klaudialax
Credited to jhutchings1 and klaudialax
Spree has Remote Command Execution vulnerability in search functionality Critical
CVE-2011-10019 was published for spree (RubyGems) Aug 13, 2025
Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification Moderate
CVE-2026-22588 was published for spree_api (RubyGems) Jan 8, 2026
httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage High
CVE-2025-68696 was published for httparty (RubyGems) Dec 23, 2025
lambdasawa ashkulz
Credited to lambdasawa and ashkulz
Spree API has Unauthenticated IDOR - Guest Address High
CVE-2026-22589 was published for spree_core (RubyGems) Jan 8, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database