Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
2,992
Maven
5,000+
npm
4,705
NuGet
788
pip
4,328
Pub
12
RubyGems
987
Rust
1,134
Swift
49
Unreviewed advisories
All unreviewed
5,000+

278 advisories

Loading
An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26.... Moderate Unreviewed
CVE-2025-32094 was published Aug 7, 2025
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections Low
CVE-2025-53643 was published for aiohttp (pip) Jul 14, 2025
JeppW
Credited to JeppW
Next.JS vulnerability can lead to DoS via cache poisoning High
CVE-2025-49826 was published for next (npm) Jul 3, 2025
cold-try
Credited to cold-try
Next.js has a Cache poisoning vulnerability due to omission of the Vary header Low
CVE-2025-49005 was published for next (npm) Jul 3, 2025
Ruby WEBrick read_headers method can lead to HTTP Request/Response Smuggling Moderate
CVE-2025-6442 was published for webrick (RubyGems) Jun 26, 2025
Pingora has a Request Smuggling Vulnerability High
CVE-2025-4366 was published for pingora-core (Rust) Jun 20, 2025
Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies High
CVE-2025-41235 was published for org.springframework.cloud:spring-cloud-gateway-server (Maven) May 30, 2025
coreyconway
Credited to coreyconway
Duplicate Advisory: Pingora Request Smuggling and Cache Poisoning High
GHSA-3qmp-g57h-rxf2 was published for pingora-core (Rust) May 22, 2025 withdrawn
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX`... Moderate Unreviewed
CVE-2025-23167 was published May 19, 2025
A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer... High Unreviewed
CVE-2025-4600 was published May 16, 2025
Varnish Cache before 7.6.3 and 7.7 before 7.7.1, and Varnish Enterprise before 6.0.13r14, allow... Moderate Unreviewed
CVE-2025-47905 was published May 14, 2025
Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass... Critical Unreviewed
CVE-2024-56523 was published May 12, 2025
h11 accepts some malformed Chunked-Encoding bodies Critical
CVE-2025-43859 was published for h11 (pip) Apr 24, 2025
JeppW
Credited to JeppW
An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct... High Unreviewed
CVE-2024-33452 was published Apr 22, 2025
croogo Host header injection Moderate
CVE-2024-29643 was published for croogo/croogo (Composer) Apr 21, 2025
CVE-2025-1386- Query smuggling in ch-go library Moderate
CVE-2025-1386 was published for github.com/ClickHouse/ch-go (Go) Apr 12, 2025
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency Critical
CVE-2025-22871 was published for spiral/roadrunner (Composer) Apr 8, 2025
dt-thomas-durand
Credited to dt-thomas-durand
Apache Traffic Server allows request smuggling if chunked messages are malformed.  This... High Unreviewed
CVE-2024-53868 was published Apr 3, 2025
Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers High
CVE-2025-31137 was published for @react-router/express (npm) Apr 1, 2025
cold-try
Credited to cold-try
IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack... Moderate Unreviewed
CVE-2022-39163 was published Mar 26, 2025
Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via... Moderate Unreviewed
CVE-2025-30346 was published Mar 21, 2025
Gunicorn HTTP Request/Response Smuggling vulnerability High
CVE-2024-6827 was published for gunicorn (pip) Mar 20, 2025
xzpjerry
Credited to xzpjerry
HTTP Request Smuggling vulnerability in netease-youdao/qanything version 1.4.1 allows attackers... High Unreviewed
CVE-2024-10264 was published Mar 20, 2025
In JetBrains Ktor before 3.1.1 an HTTP Request Smuggling was possible Moderate Unreviewed
CVE-2025-29904 was published Mar 12, 2025
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in... Critical Unreviewed
CVE-2025-1867 was published Mar 3, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database