GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
998 advisories
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names
Critical
CVE-2026-33286
was published
for
graphiti
(RubyGems)
Mar 20, 2026
Ruby JSON has a format string injection vulnerability
High
CVE-2026-33210
was published
for
json
(RubyGems)
Mar 19, 2026
Avo has a XSS vulnerability on `return_to` param
Moderate
CVE-2026-33209
was published
for
avo
(RubyGems)
Mar 18, 2026
Devise has a confirmable "change email" race condition permits user to confirm email they have no access to
Moderate
CVE-2026-32700
was published
for
devise
(RubyGems)
Mar 17, 2026
sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest
High
CVE-2026-31830
was published
for
sigstore
(RubyGems)
Mar 11, 2026
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Moderate
CVE-2026-25500
was published
for
rack
(RubyGems)
Feb 17, 2026
Rack has a Directory Traversal via Rack:Directory
High
CVE-2026-22860
was published
for
rack
(RubyGems)
Feb 17, 2026
Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url
Moderate
CVE-2026-25765
was published
for
faraday
(RubyGems)
Feb 9, 2026
Unauthenticated Spree Commerce users can access all guest addresses
High
CVE-2026-25758
was published
for
spree_api
(RubyGems)
Feb 5, 2026
Unauthenticated Spree Commerce users can view completed guest orders by Order ID
High
CVE-2026-25757
was published
for
spree_storefront
(RubyGems)
Feb 5, 2026
Decidim's private data exports can lead to data leaks
High
CVE-2025-65017
was published
for
decidim
(RubyGems)
Feb 3, 2026
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Moderate
CVE-2026-23885
was published
for
alchemy_cms
(RubyGems)
Jan 21, 2026
ProTip!
Advisories are also available from the
GraphQL API