GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
145 advisories
Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names
Moderate
CVE-2026-45070
was published
for
symfony/mime
(Composer)
May 27, 2026
net-imap vulnerable to command Injection via unvalidated Symbol inputs
Moderate
CVE-2026-42258
was published
for
net-imap
(RubyGems)
May 4, 2026
sse-channel: SSE Injection via unsanitized event fields
Moderate
CVE-2026-44217
was published
for
sse-channel
(npm)
May 5, 2026
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values
Moderate
CVE-2026-26962
was published
for
rack
(RubyGems)
Apr 2, 2026
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
Moderate
CVE-2026-43882
was published
for
wwbn/avideo
(Composer)
May 5, 2026
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Moderate
CVE-2026-42257
was published
for
net-imap
(RubyGems)
May 4, 2026
PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes
High
CVE-2026-41570
was published
for
phpunit/phpunit
(Composer)
Apr 18, 2026
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection
Moderate
CVE-2026-41417
was published
for
io.netty:netty-codec-http
(Maven)
May 5, 2026
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
Moderate
CVE-2026-42037
was published
for
axios
(npm)
May 5, 2026
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
High
CVE-2026-41230
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API