GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
91 advisories
Filter by severity
oban_web missing authorization check on `save-job` event handler
Moderate
CVE-2026-48592
was published
for
oban_web
(Erlang)
Jun 30, 2026
oban_web: Unbounded range expansion in cron describe causes memory exhaustion
Moderate
CVE-2026-48593
was published
for
oban_web
(Erlang)
Jun 30, 2026
RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API
Moderate
CVE-2023-46118
was published
for
rabbit_common
(Erlang)
Jun 30, 2026
RabbitMQ has predictable credential obfuscation seed value used in Shovel and Federation plugins
Moderate
CVE-2022-31008
was published
for
rabbit_common
(Erlang)
Jun 30, 2026
ex_aws_sns: Trusted-attacker `SigningCertURL` permits complete SNS signature bypass
High
CVE-2026-47074
was published
for
ex_aws_sns
(Erlang)
Jun 26, 2026
Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes
High
CVE-2026-47067
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has unbounded buffer accumulation in WebSocket
High
CVE-2026-47073
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has CRLF / header injection in WebSocket upgrade request
Moderate
CVE-2026-47072
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has CR/LF injection in query parameter
Moderate
CVE-2026-47075
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney: Per-chunk timeout with unbounded body accumulation enables slow-drip OOM
High
CVE-2026-47077
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body
Moderate
CVE-2026-47070
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host
Moderate
CVE-2026-47076
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has CRLF / header injection via unvalidated `domain` and `path` options
Low
CVE-2026-47069
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney: `ssl:connect/2` post-handshake upgrade has no timeout
High
CVE-2026-47071
was published
for
hackney
(Erlang)
Jun 26, 2026
Hackney has an infinite loop on non-token byte at start of an Alt-Svc entry
High
CVE-2026-47066
was published
for
hackney
(Erlang)
Jun 26, 2026
Relyra SAML SignatureValue not cryptographically verified -> authentication bypass
Critical
CVE-2026-49454
was published
for
relyra
(Erlang)
Jun 26, 2026
earmark: Stored XSS via unescaped HTML attribute values
Moderate
CVE-2026-48591
was published
for
earmark
(Erlang)
Jun 17, 2026
PhoenixStorybook has cross-session PubSub topic injection via URL parameter
Low
CVE-2026-47068
was published
for
phoenix_storybook
(Erlang)
Jun 9, 2026
PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS)
High
CVE-2026-8469
was published
for
phoenix_storybook
(Erlang)
Jun 9, 2026
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Critical
CVE-2026-8467
was published
for
phoenix_storybook
(Erlang)
Jun 9, 2026
Duplicate Advisory: Hackney has an Allocation of Resources Without Limits or Throttling vulnerabilit
High
GHSA-76v6-f83q-pxvh
was published
for
hackney
(Erlang)
May 26, 2026
•
withdrawn
Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service
High
CVE-2026-8468
was published
for
plug
(Erlang)
May 20, 2026
Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder
High
CVE-2026-39806
was published
for
bandit
(Erlang)
May 19, 2026
Bandit: Unauthenticated one-shot DoS via `Transfer-Encoding: chunked`
High
CVE-2026-39803
was published
for
bandit
(Erlang)
May 19, 2026
Postgrex: Channel-name SQL injection in `Postgrex.Notifications.listen/3`
High
CVE-2026-32687
was published
for
postgrex
(Erlang)
May 18, 2026
ProTip!
Advisories are also available from the
GraphQL API