Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

157 advisories

Loading
HTTP Request Smuggling in Netty High
CVE-2019-16869 was published for io.netty:netty (Maven) Oct 11, 2019
G-Rath Credited to G-Rath, westonsteimel, and SunBK201 westonsteimel westonsteimel
SunBK201 SunBK201
PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling High
CVE-2026-48979 was published for php-standard-library/h2 (Composer) Jun 26, 2026
azjezz Credited to azjezz
http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact` Moderate
GHSA-jrpc-7vxp-69p6 was published for org.http4k:http4k-core (Maven) Jun 19, 2026
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers` High
CVE-2026-52845 was published for github.com/caddyserver/caddy (Go) Jun 16, 2026
Vincent550102 Credited to Vincent550102
vLLM: OpenAI auth bypass Critical
CVE-2026-48746 was published for vllm (pip) Jun 16, 2026
x41j Credited to x41j, russellb, and DarkLight1337 russellb russellb
DarkLight1337 DarkLight1337
Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted Moderate
CVE-2026-50020 was published for io.netty:netty-codec-http (Maven) Jun 15, 2026
chrisvest Credited to chrisvest
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling Low
CVE-2026-53538 was published for python-multipart (pip) Jun 15, 2026
maxisbey Credited to maxisbey
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning Low
CVE-2026-46342 was published for @nuxt/nitro-server (npm) May 19, 2026
fancymalware Credited to fancymalware
SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec Low
CVE-2026-28898 was published for github.com/apple/swift-nio-http2 (Swift) Jun 12, 2026
kuranikaran Credited to kuranikaran
Undertow is Vulnerable to HTTP Request/Response Smuggling High
CVE-2026-28367 was published for io.undertow:undertow-parent (Maven) Mar 27, 2026
Undertow is Vulnerable to HTTP Request/Response Smuggling High
CVE-2026-28368 was published for io.undertow:undertow-parent (Maven) Mar 27, 2026
Undertow is Vulnerable to HTTP Request/Response Smuggling High
CVE-2026-28369 was published for io.undertow:undertow-parent (Maven) Mar 27, 2026
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths Moderate
CVE-2026-47676 was published for hono (npm) Jun 4, 2026
Rootingg Credited to Rootingg
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks Moderate
CVE-2026-48710 was published for starlette (pip) Jun 4, 2026
x41j Credited to x41j, ehhthing, and nic-lovin ehhthing ehhthing
nic-lovin nic-lovin
Apache Tomcat has an HTTP Request/Response Smuggling vulnerability High
CVE-2026-24880 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
tkwilli94 Credited to tkwilli94 and aruneko aruneko aruneko
Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-2332 was published for org.eclipse.jetty:jetty-http (Maven) Apr 14, 2026
xclow3n Credited to xclow3n, jhy, and tlarionova-max jhy jhy
tlarionova-max tlarionova-max
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain Moderate
CVE-2026-40175 was published for axios (npm) Apr 10, 2026
raulvdv Credited to raulvdv, SwTan98, Wenxin-Jiang, jasonsaayman, and ylemkimon SwTan98 SwTan98
Wenxin-Jiang Wenxin-Jiang jasonsaayman jasonsaayman ylemkimon ylemkimon
Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding Moderate
CVE-2026-42585 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Netty has HttpClientCodec response desynchronization High
CVE-2026-42584 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing Moderate
CVE-2026-42580 was published for io.netty:netty-codec-http (Maven) May 7, 2026
violetagg Credited to violetagg
Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization Moderate
CVE-2026-42581 was published for io.netty:netty-codec-http (Maven) May 7, 2026
subbudvk Credited to subbudvk
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency Critical
CVE-2025-22871 was published for spiral/roadrunner (Composer) Apr 8, 2025
dt-thomas-durand Credited to dt-thomas-durand
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection Moderate
CVE-2026-41417 was published for io.netty:netty-codec-http (Maven) May 5, 2026
oxqnd Credited to oxqnd, aest3ra, and mjkim610 aest3ra aest3ra
mjkim610 mjkim610
Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header Moderate
CVE-2026-39805 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
actix-http has HTTP/1.1 CL.TE Request Smuggling Moderate
GHSA-xhj4-vrgc-hr34 was published for actix-http (Rust) Apr 22, 2026
mufeedvh Credited to mufeedvh
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database