GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
990 advisories
sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest
High
CVE-2026-31830
was published
for
sigstore
(RubyGems)
Mar 11, 2026
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Moderate
CVE-2026-25500
was published
for
rack
(RubyGems)
Feb 17, 2026
Rack has a Directory Traversal via Rack:Directory
High
CVE-2026-22860
was published
for
rack
(RubyGems)
Feb 17, 2026
Sisimai Inefficient Regular Expression Complexity vulnerability
Moderate
CVE-2022-4891
was published
for
sisimai
(RubyGems)
Jan 17, 2023
Unauthenticated Spree Commerce users can view completed guest orders by Order ID
High
CVE-2026-25757
was published
for
spree_storefront
(RubyGems)
Feb 5, 2026
Unauthenticated Spree Commerce users can access all guest addresses
High
CVE-2026-25758
was published
for
spree_api
(RubyGems)
Feb 5, 2026
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Moderate
CVE-2026-25765
was published
for
faraday
(RubyGems)
Feb 9, 2026
Decidim's private data exports can lead to data leaks
High
CVE-2025-65017
was published
for
decidim
(RubyGems)
Feb 3, 2026
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Moderate
CVE-2026-23885
was published
for
alchemy_cms
(RubyGems)
Jan 21, 2026
Active Storage allowed transformation methods that were potentially unsafe
Critical
CVE-2025-24293
was published
for
activestorage
(RubyGems)
Aug 14, 2025
Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values
High
CVE-2025-64501
was published
for
prosemirror_to_html
(RubyGems)
Nov 6, 2025
JRuby-OpenSSL has hostname verification disabled by default
Moderate
CVE-2025-46551
was published
for
jruby-openssl
(RubyGems)
May 7, 2025
Denial of Service Vulnerability in ActiveRecord's PostgreSQL adapter
High
CVE-2022-44566
was published
for
activerecord
(RubyGems)
Jan 18, 2023
ProTip!
Advisories are also available from the
GraphQL API