Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

34 advisories

Loading
mint: Content-Length header accepts non-RFC "+" sign prefix Moderate
CVE-2026-49753 was published for mint (Erlang) Jul 9, 2026
PJUllrich Credited to PJUllrich, ericmj, and maennchen ericmj ericmj
maennchen maennchen
oban_web missing authorization check on `save-job` event handler Moderate
CVE-2026-48592 was published for oban_web (Erlang) Jun 30, 2026
PJUllrich Credited to PJUllrich, sorentwo, and maennchen sorentwo sorentwo
maennchen maennchen
oban_web: Unbounded range expansion in cron describe causes memory exhaustion Moderate
CVE-2026-48593 was published for oban_web (Erlang) Jun 30, 2026
PJUllrich Credited to PJUllrich, sorenone, and maennchen sorenone sorenone
maennchen maennchen
RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API Moderate
CVE-2023-46118 was published for rabbit_common (Erlang) Jun 30, 2026
NSEcho Credited to NSEcho
RabbitMQ has predictable credential obfuscation seed value used in Shovel and Federation plugins Moderate
CVE-2022-31008 was published for rabbit_common (Erlang) Jun 30, 2026
Hackney has CRLF / header injection in WebSocket upgrade request Moderate
CVE-2026-47072 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has CR/LF injection in query parameter Moderate
CVE-2026-47075 was published for hackney (Erlang) Jun 26, 2026
tepel-chen Credited to tepel-chen and maennchen maennchen maennchen
Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body Moderate
CVE-2026-47070 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host Moderate
CVE-2026-47076 was published for hackney (Erlang) Jun 26, 2026
Ganbagana Credited to Ganbagana and maennchen maennchen maennchen
earmark: Stored XSS via unescaped HTML attribute values Moderate
CVE-2026-48591 was published for earmark (Erlang) Jun 17, 2026
Decimal: Unbounded exponent in `Decimal.new` enables unauthenticated DoS Moderate
CVE-2026-32686 was published for decimal (Erlang) May 12, 2026
PJUllrich Credited to PJUllrich, ericmj, josevalim, wojtekmach, maennchen, ruslandoga, and warmwaffles ericmj ericmj
josevalim josevalim wojtekmach wojtekmach maennchen maennchen ruslandoga ruslandoga warmwaffles warmwaffles
Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhaustion Moderate
CVE-2026-42788 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Bandit trusts client-supplied URI scheme on plaintext connections Moderate
CVE-2026-39807 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header Moderate
CVE-2026-39805 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
athuljayaram Credited to athuljayaram
esaml XXE vulnerability allows local file disclosure and SSRF via crafted SAML messages Moderate
CVE-2026-28809 was published for esaml (Erlang) Mar 23, 2026
Permissive List of Allowed Inputs in ewe Moderate
CVE-2026-32881 was published for ewe (Erlang) Mar 16, 2026
jtdowney Credited to jtdowney
ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay Moderate
CVE-2025-68113 was published for altcha (RubyGems) Dec 16, 2025
eternal-flame-AD Credited to eternal-flame-AD
ash_authentication has email link auto-click account confirmation vulnerability Moderate
CVE-2025-32782 was published for ash_authentication (Erlang) Apr 14, 2025
zachdaniel Credited to zachdaniel, jimsynz, maennchen, barnabasJ, and sevenseacat jimsynz jimsynz
maennchen maennchen barnabasJ barnabasJ sevenseacat sevenseacat
Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install` Moderate
CVE-2025-25202 was published for ash_authentication (Erlang) Feb 11, 2025
wilburyang Credited to wilburyang, zachdaniel, and jimsynz zachdaniel zachdaniel
jimsynz jimsynz
In AshPostgres, empty, atomic, non-bulk actions, policy bypass for side-effects vulnerability. Moderate
CVE-2024-49756 was published for ash_postgres (Erlang) Oct 23, 2024
maennchen Credited to maennchen, rapidfsub, and zachdaniel rapidfsub rapidfsub
zachdaniel zachdaniel
OpenID Connect client Atom Exhaustion in provider configuration worker ets table location Moderate
CVE-2024-31209 was published for oidcc (Erlang) Apr 3, 2024
mohamedalikhechine Credited to mohamedalikhechine, robertfiko, maennchen, paulswartz, and SAFE-Erlang-Elixir robertfiko robertfiko
maennchen maennchen paulswartz paulswartz SAFE-Erlang-Elixir SAFE-Erlang-Elixir
erlang-jose vulnerable to denial of service via large p2c value Moderate
CVE-2023-50966 was published for jose (Erlang) Mar 19, 2024
maennchen Credited to maennchen
Pow Mnesia cache doesn't invalidate all expired keys on startup Moderate
CVE-2023-42446 was published for pow (Erlang) Sep 19, 2023
gVirtu Credited to gVirtu
ProTip! Advisories are also available from the GraphQL API