Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

26 advisories

Loading
Plug.Cowboy vulnerable to unauthenticated remote DoS via HTTP/2 `:scheme` atom-table exhaustion High
CVE-2026-32688 was published for plug_cowboy (Erlang) May 5, 2026
PJUllrich Credited to PJUllrich
Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame High
CVE-2026-39804 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header Moderate
CVE-2026-39805 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
Bandit trusts client-supplied URI scheme on plaintext connections Moderate
CVE-2026-39807 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhaustion Moderate
CVE-2026-42788 was published for bandit (Erlang) May 7, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Phoenix: Long-poll NDJSON body splitting causes large memory allocation High
CVE-2026-32689 was published for phoenix (Erlang) May 8, 2026
PJUllrich Credited to PJUllrich
Decimal: Unbounded exponent in `Decimal.new` enables unauthenticated DoS Moderate
CVE-2026-32686 was published for decimal (Erlang) May 12, 2026
PJUllrich Credited to PJUllrich, ericmj, josevalim, wojtekmach, maennchen, ruslandoga, and warmwaffles ericmj ericmj
josevalim josevalim wojtekmach wojtekmach maennchen maennchen ruslandoga ruslandoga warmwaffles warmwaffles
Absinthe: Unbounded atom creation from parsed directive name High
CVE-2026-42793 was published for absinthe (Erlang) May 14, 2026
PJUllrich Credited to PJUllrich and cschiewek cschiewek cschiewek
Absinthe: Quadratic fragment-name uniqueness check High
CVE-2026-43967 was published for absinthe (Erlang) May 14, 2026
PJUllrich Credited to PJUllrich and cschiewek cschiewek cschiewek
Postgrex: Channel-name SQL injection in `Postgrex.Notifications.listen/3` High
CVE-2026-32687 was published for postgrex (Erlang) May 18, 2026
PJUllrich Credited to PJUllrich
Bandit: Unauthenticated one-shot DoS via `Transfer-Encoding: chunked` High
CVE-2026-39803 was published for bandit (Erlang) May 19, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder High
CVE-2026-39806 was published for bandit (Erlang) May 19, 2026
PJUllrich Credited to PJUllrich, mtrudel, and maennchen mtrudel mtrudel
maennchen maennchen
PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS) High
CVE-2026-8469 was published for phoenix_storybook (Erlang) Jun 9, 2026
PJUllrich Credited to PJUllrich, cblavier, and maennchen cblavier cblavier
maennchen maennchen
PhoenixStorybook has cross-session PubSub topic injection via URL parameter Low
CVE-2026-47068 was published for phoenix_storybook (Erlang) Jun 9, 2026
PJUllrich Credited to PJUllrich, cblavier, and maennchen cblavier cblavier
maennchen maennchen
Hackney has an infinite loop on non-token byte at start of an Alt-Svc entry High
CVE-2026-47066 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney: `ssl:connect/2` post-handshake upgrade has no timeout High
CVE-2026-47071 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has CRLF / header injection via unvalidated `domain` and `path` options Low
CVE-2026-47069 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body Moderate
CVE-2026-47070 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney: Per-chunk timeout with unbounded body accumulation enables slow-drip OOM High
CVE-2026-47077 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has CRLF / header injection in WebSocket upgrade request Moderate
CVE-2026-47072 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney has unbounded buffer accumulation in WebSocket High
CVE-2026-47073 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes High
CVE-2026-47067 was published for hackney (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich and maennchen maennchen maennchen
ex_aws_sns: Trusted-attacker `SigningCertURL` permits complete SNS signature bypass High
CVE-2026-47074 was published for ex_aws_sns (Erlang) Jun 26, 2026
PJUllrich Credited to PJUllrich, bernardd, and maennchen bernardd bernardd
maennchen maennchen
oban_web: Unbounded range expansion in cron describe causes memory exhaustion Moderate
CVE-2026-48593 was published for oban_web (Erlang) Jun 30, 2026
PJUllrich Credited to PJUllrich, sorenone, and maennchen sorenone sorenone
maennchen maennchen
ProTip! Advisories are also available from the GraphQL API