GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
991 advisories
Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)
Moderate
CVE-2024-25126
was published
for
rack
(RubyGems)
Feb 28, 2024
YARD's default template vulnerable to Cross-site Scripting in generated frames.html
Moderate
CVE-2024-27285
was published
for
yard
(RubyGems)
Feb 28, 2024
Rails has possible Sensitive Session Information Leak in Active Storage
Moderate
CVE-2024-26144
was published
for
activestorage
(RubyGems)
Feb 27, 2024
Rails has possible XSS Vulnerability in Action Controller
Moderate
CVE-2024-26143
was published
for
actionpack
(RubyGems)
Feb 27, 2024
Katello uses hard coded credential
Critical
CVE-2012-3503
was published
for
katello
(RubyGems)
May 17, 2022
sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest
High
CVE-2026-31830
was published
for
sigstore
(RubyGems)
Mar 11, 2026
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Moderate
CVE-2026-25500
was published
for
rack
(RubyGems)
Feb 17, 2026
Rack has a Directory Traversal via Rack:Directory
High
CVE-2026-22860
was published
for
rack
(RubyGems)
Feb 17, 2026
Sisimai Inefficient Regular Expression Complexity vulnerability
Moderate
CVE-2022-4891
was published
for
sisimai
(RubyGems)
Jan 17, 2023
Unauthenticated Spree Commerce users can view completed guest orders by Order ID
High
CVE-2026-25757
was published
for
spree_storefront
(RubyGems)
Feb 5, 2026
Unauthenticated Spree Commerce users can access all guest addresses
High
CVE-2026-25758
was published
for
spree_api
(RubyGems)
Feb 5, 2026
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Moderate
CVE-2026-25765
was published
for
faraday
(RubyGems)
Feb 9, 2026
Decidim's private data exports can lead to data leaks
High
CVE-2025-65017
was published
for
decidim
(RubyGems)
Feb 3, 2026
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Moderate
CVE-2026-23885
was published
for
alchemy_cms
(RubyGems)
Jan 21, 2026
Active Storage allowed transformation methods that were potentially unsafe
Critical
CVE-2025-24293
was published
for
activestorage
(RubyGems)
Aug 14, 2025
ProTip!
Advisories are also available from the
GraphQL API