Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,679
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,904
Pub
13
RubyGems
1,053
Rust
1,318
Swift
53
Unreviewed advisories
All unreviewed
5,000+

13 advisories

Loading
Request smuggling is possible when both chunked TE and content length specified Low
CVE-2020-5207 was published for io.ktor:ktor-client-cio (Maven) Jan 27, 2020
Ability to switch channels via GET parameter enabled in production environments Low
CVE-2020-5218 was published for sylius/sylius (Composer) Jan 31, 2020
Lenient Parsing of Content-Length Header When Prefixed with Plus Sign Low
CVE-2021-32715 was published for hyper (Rust) Jul 12, 2021
mattiasgrenfeldt Credited to mattiasgrenfeldt, asta12, and tdunlap607 asta12 asta12
tdunlap607 tdunlap607
Puma with proxy which forwards LF characters as line endings could allow HTTP request smuggling Low
CVE-2021-41136 was published for puma (RubyGems) Oct 12, 2021
asta12 Credited to asta12, mattiasgrenfeldt, and decsecre583 mattiasgrenfeldt mattiasgrenfeldt
decsecre583 decsecre583
Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks Low
CVE-2023-47641 was published for aiohttp (pip) Nov 14, 2023
chinchila Credited to chinchila
Next.js has a Cache poisoning vulnerability due to omission of the Vary header Low
CVE-2025-49005 was published for next (npm) Jul 3, 2025
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections Low
CVE-2025-53643 was published for aiohttp (pip) Jul 14, 2025
JeppW Credited to JeppW and Dreamsorcerer Dreamsorcerer Dreamsorcerer
Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions Low
CVE-2025-58056 was published for io.netty:netty-codec-http (Maven) Sep 4, 2025
JeppW Credited to JeppW, JLLeitschuh, and yawkat JLLeitschuh JLLeitschuh
yawkat yawkat
AIOHTTP's unicode processing of header values could cause parsing discrepancies Low
CVE-2025-69224 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma Credited to ThomasRinsma and Dreamsorcerer Dreamsorcerer Dreamsorcerer
AIOHTTP has unicode match groups in regexes for ASCII protocol elements Low
CVE-2025-69225 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma Credited to ThomasRinsma and Dreamsorcerer Dreamsorcerer Dreamsorcerer
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in... Low Unreviewed
CVE-2026-4742 was published Mar 24, 2026
HCL BigFix Service Management is susceptible to HTTP Request Smuggling.  HTTP request smuggling... Low Unreviewed
CVE-2025-31958 was published Apr 21, 2026
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The... Low Unreviewed
CVE-2026-2708 was published Apr 24, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database