GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
34 advisories
Filter by severity
mint: Content-Length header accepts non-RFC "+" sign prefix
Moderate
CVE-2026-49753
was published
for
mint
(Erlang)
Jul 9, 2026
oban_web missing authorization check on `save-job` event handler
Moderate
CVE-2026-48592
was published
for
oban_web
(Erlang)
Jun 30, 2026
oban_web: Unbounded range expansion in cron describe causes memory exhaustion
Moderate
CVE-2026-48593
was published
for
oban_web
(Erlang)
Jun 30, 2026
RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API
Moderate
CVE-2023-46118
was published
for
rabbit_common
(Erlang)
Jun 30, 2026
RabbitMQ has predictable credential obfuscation seed value used in Shovel and Federation plugins
Moderate
CVE-2022-31008
was published
for
rabbit_common
(Erlang)
Jun 30, 2026
Hackney has CRLF / header injection in WebSocket upgrade request
Moderate
CVE-2026-47072
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has CR/LF injection in query parameter
Moderate
CVE-2026-47075
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body
Moderate
CVE-2026-47070
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host
Moderate
CVE-2026-47076
was published
for
hackney
(Erlang)
Jun 26, 2026
earmark: Stored XSS via unescaped HTML attribute values
Moderate
CVE-2026-48591
was published
for
earmark
(Erlang)
Jun 17, 2026
Decimal: Unbounded exponent in `Decimal.new` enables unauthenticated DoS
Moderate
CVE-2026-32686
was published
for
decimal
(Erlang)
May 12, 2026
ninenines cowlib: Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability allows SSE event splitting and injection via unvalidated field values
Moderate
CVE-2026-43968
was published
for
cowlib
(Erlang)
May 11, 2026
Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhaustion
Moderate
CVE-2026-42788
was published
for
bandit
(Erlang)
May 7, 2026
Bandit trusts client-supplied URI scheme on plaintext connections
Moderate
CVE-2026-39807
was published
for
bandit
(Erlang)
May 7, 2026
Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header
Moderate
CVE-2026-39805
was published
for
bandit
(Erlang)
May 7, 2026
ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting)
Moderate
CVE-2026-34715
was published
for
ewe
(Erlang)
Apr 1, 2026
esaml XXE vulnerability allows local file disclosure and SSRF via crafted SAML messages
Moderate
CVE-2026-28809
was published
for
esaml
(Erlang)
Mar 23, 2026
Permissive List of Allowed Inputs in ewe
Moderate
CVE-2026-32881
was published
for
ewe
(Erlang)
Mar 16, 2026
ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay
Moderate
CVE-2025-68113
was published
for
altcha
(RubyGems)
Dec 16, 2025
ash_authentication has email link auto-click account confirmation vulnerability
Moderate
CVE-2025-32782
was published
for
ash_authentication
(Erlang)
Apr 14, 2025
Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`
Moderate
CVE-2025-25202
was published
for
ash_authentication
(Erlang)
Feb 11, 2025
In AshPostgres, empty, atomic, non-bulk actions, policy bypass for side-effects vulnerability.
Moderate
CVE-2024-49756
was published
for
ash_postgres
(Erlang)
Oct 23, 2024
OpenID Connect client Atom Exhaustion in provider configuration worker ets table location
Moderate
CVE-2024-31209
was published
for
oidcc
(Erlang)
Apr 3, 2024
erlang-jose vulnerable to denial of service via large p2c value
Moderate
CVE-2023-50966
was published
for
jose
(Erlang)
Mar 19, 2024
Pow Mnesia cache doesn't invalidate all expired keys on startup
Moderate
CVE-2023-42446
was published
for
pow
(Erlang)
Sep 19, 2023
ProTip!
Advisories are also available from the
GraphQL API