Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

52 advisories

Loading
Hackney has CRLF / header injection in WebSocket upgrade request Moderate
CVE-2026-47072 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has CR/LF injection in query parameter Moderate
CVE-2026-47075 was published for hackney (Erlang) Jun 26, 2026
tepel-chen Credited to tepel-chen and maennchen maennchen maennchen
guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serialization Moderate
CVE-2026-55766 was published for guzzlehttp/psr7 (Composer) Jun 19, 2026
iliaal Credited to iliaal
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding Moderate
CVE-2026-9679 was published for undici (npm) Jun 19, 2026
tndud042713 Credited to tndud042713, mcollina, KhafraDev, and UlisesGascon mcollina mcollina
KhafraDev KhafraDev UlisesGascon UlisesGascon
Kirby: Request header injection in `Http\Remote` Moderate
CVE-2026-50188 was published for getkirby/cms (Composer) Jun 18, 2026
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection Moderate
GHSA-268h-hp4c-crq3 was published for nodemailer (npm) Jun 15, 2026
sondt99 Credited to sondt99 and dungNHVhust dungNHVhust dungNHVhust
SwiftNIO: CRLF Injection in outbound HTTP request URI via NIOHTTPRequestHeadersValidator Moderate
CVE-2026-28970 was published for github.com/apple/swift-nio (Swift) Jun 12, 2026
kuranikaran Credited to kuranikaran and YLChen-007 YLChen-007 YLChen-007
guzzlehttp/psr7 has CRLF Injection via URI Host Component Moderate
CVE-2026-49214 was published for guzzlehttp/psr7 (Composer) Jun 11, 2026
edorian Credited to edorian
Net::IMAP: Command Injection via ID command argument Moderate
CVE-2026-47242 was published for net-imap (RubyGems) Jun 9, 2026
nevans Credited to nevans
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument Moderate
CVE-2026-47240 was published for net-imap (RubyGems) Jun 9, 2026
nevans Credited to nevans
Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names Moderate
CVE-2026-45070 was published for symfony/mime (Composer) May 27, 2026
alexandre-daubois Credited to alexandre-daubois
ninenines cowlib: Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability allows SSE event splitting and injection via unvalidated field values Moderate
CVE-2026-43968 was published for cowlib (Erlang) May 11, 2026
eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields Moderate
CVE-2026-44214 was published for eventsource-encoder (npm) May 8, 2026
Netty Redis Codec Encoder has a CRLF Injection Issue Moderate
CVE-2026-42586 was published for io.netty:netty-codec-redis (Maven) May 7, 2026
August829 Credited to August829
sse-channel: SSE Injection via unsanitized event fields Moderate
CVE-2026-44217 was published for sse-channel (npm) May 5, 2026
SnailSploit Credited to SnailSploit
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing Moderate
CVE-2026-43882 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection Moderate
CVE-2026-41417 was published for io.netty:netty-codec-http (Maven) May 5, 2026
oxqnd Credited to oxqnd, aest3ra, and mjkim610 aest3ra aest3ra
mjkim610 mjkim610
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream Moderate
CVE-2026-42037 was published for axios (npm) May 5, 2026
kobi-s Credited to kobi-s
net-imap vulnerable to command Injection via "raw" arguments to multiple commands Moderate
CVE-2026-42257 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio and nevans nevans nevans
net-imap vulnerable to command Injection via unvalidated Symbol inputs Moderate
CVE-2026-42258 was published for net-imap (RubyGems) May 4, 2026
manunio Credited to manunio
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output Moderate
CVE-2026-35601 was published for code.vikunja.io/api (Go) Apr 10, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) Moderate
GHSA-vvjj-xcjg-gr5g was published for nodemailer (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values Moderate
CVE-2026-26962 was published for rack (RubyGems) Apr 2, 2026
wtn Credited to wtn, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
iCalendar has ICS injection via unsanitized URI property values Moderate
CVE-2026-33635 was published for icalendar (RubyGems) Mar 24, 2026
WesR Credited to WesR
Undici has CRLF Injection in undici via `upgrade` option Moderate
CVE-2026-1527 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database