Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,538
Maven
5,000+
npm
5,000+
NuGet
914
pip
4,790
Pub
13
RubyGems
1,037
Rust
1,232
Swift
53
Unreviewed advisories
All unreviewed
5,000+

33 advisories

Loading
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain Moderate
CVE-2026-40175 was published for axios (npm) Apr 10, 2026
raulvdv Credited to raulvdv, SwTan98, Wenxin-Jiang, and jasonsaayman SwTan98 SwTan98
Wenxin-Jiang Wenxin-Jiang jasonsaayman jasonsaayman
Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header High
CVE-2026-39971 was published for s9y/serendipity (Composer) Apr 14, 2026
mabjr33 Credited to mabjr33
Hono missing validation of cookie name on write path in setCookie() Moderate
GHSA-26pp-8wgv-hjvm was published for hono (npm) Apr 8, 2026
athuljayaram Credited to athuljayaram
AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass Low
CVE-2026-34520 was published for aiohttp (pip) Apr 1, 2026
vmfunc Credited to vmfunc, oxqnd, and rodrigobnogueira oxqnd oxqnd
rodrigobnogueira rodrigobnogueira
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest Moderate
CVE-2026-34767 was published for electron (npm) Apr 3, 2026
ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting) Moderate
CVE-2026-34715 was published for ewe (Erlang) Apr 1, 2026
athuljayaram Credited to athuljayaram
AIOHTTP has CRLF injection through multipart part content type header construction Low
CVE-2026-34514 was published for aiohttp (pip) Apr 1, 2026
mingijunggrape Credited to mingijunggrape
AIOHTTP has HTTP response splitting via \r in reason phrase Low
CVE-2026-34519 was published for aiohttp (pip) Apr 1, 2026
DHIRAL2908 Credited to DHIRAL2908
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie() Moderate
CVE-2026-29086 was published for hono (npm) Mar 4, 2026
TarPeg007 Credited to TarPeg007
Gakido vulnerable to HTTP Header Injection (CRLF Injection) Moderate
CVE-2026-24489 was published for gakido (pip) Jan 26, 2026
omarkurt Credited to omarkurt
BlackSheep's ClientSession is vulnerable to CRLF injection Moderate
CVE-2026-22779 was published for blacksheep (pip) Jan 14, 2026
tr4ce-ju Credited to tr4ce-ju
Spring Framework vulnerable to a reflected file download (RFD) Moderate
CVE-2025-41234 was published for org.springframework:spring-web (Maven) Jun 13, 2025
Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Tomcat Moderate
CVE-2014-0099 was published for org.apache.tomcat:tomcat (Maven) May 14, 2022
sunSUNQ Credited to sunSUNQ
Pitchfork HTTP Request/Response Splitting vulnerability Moderate
CVE-2025-30221 was published for pitchfork (RubyGems) Mar 27, 2025
Jenkins has CRLF Injection Vulnerability in the CLI Moderate
CVE-2016-0789 was published for org.jenkins-ci.main:jenkins-core (Maven) May 14, 2022
Jenkins allows HTTP Injection and Response Splitting Moderate
CVE-2012-6072 was published for org.jenkins-ci.main:jenkins-core (Maven) May 14, 2022
CRLF Injection in RestSharp's `RestRequest.AddHeader` method Moderate
CVE-2024-45302 was published for RestSharp (NuGet) Aug 29, 2024
sofiaml Credited to sofiaml and Static-Flow Static-Flow Static-Flow
Gateway API route matching order contradicts specification Moderate
CVE-2024-42487 was published for github.com/cilium/cilium (Go) Aug 15, 2024
sayboras Credited to sayboras
Inconsistent Interpretation of HTTP Requests in github.com/gin-gonic/gin High
CVE-2020-28483 was published for github.com/gin-gonic/gin (Go) Jun 23, 2021
Low severity vulnerability that affects com.linecorp.armeria:armeria Moderate
CVE-2019-16771 was published for com.linecorp.armeria:armeria (Maven) Dec 5, 2019
SunBK201 Credited to SunBK201
Drupal CRLF injection vulnerability in the drupal_set_header function Moderate
CVE-2016-3166 was published for drupal/core (Composer) May 17, 2022
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in trillium-http and trillium-client Moderate
CVE-2024-23644 was published for trillium-client (Rust) Jan 24, 2024
divergentdave Credited to divergentdave
phpMyAdmin HTTP Response Splitting Vulnerability High
CVE-2009-1149 was published for phpmyadmin/phpmyadmin (Composer) May 2, 2022
Moodle CRLF Injection Vulnerability in Calendar Component Moderate
CVE-2011-4203 was published for moodle/moodle (Composer) May 13, 2022
HTTP Response Splitting (Early Hints) in Puma Moderate
CVE-2020-5249 was published for puma (RubyGems) Mar 3, 2020
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database