GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
80 advisories
guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serialization
Moderate
CVE-2026-55766
was published
for
guzzlehttp/psr7
(Composer)
Jun 19, 2026
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Moderate
CVE-2026-9679
was published
for
undici
(npm)
Jun 19, 2026
http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
High
CVE-2026-55603
was published
for
http-proxy-middleware
(npm)
Jun 18, 2026
Laravel Framework: CRLF injection in default email rule
High
GHSA-5vg9-5847-vvmq
was published
for
laravel/framework
(Composer)
Jun 17, 2026
aiohttp: CRLF injection in multipart headers
Low
CVE-2026-50269
was published
for
aiohttp
(pip)
Jun 15, 2026
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection
Moderate
GHSA-268h-hp4c-crq3
was published
for
nodemailer
(npm)
Jun 15, 2026
form-data: CRLF injection in form-data via unescaped multipart field names and filenames
High
CVE-2026-12143
was published
for
form-data
(npm)
Jun 15, 2026
SwiftNIO: CRLF Injection in outbound HTTP request URI via NIOHTTPRequestHeadersValidator
Moderate
CVE-2026-28970
was published
for
github.com/apple/swift-nio
(Swift)
Jun 12, 2026
guzzlehttp/psr7 has CRLF Injection via URI Host Component
Moderate
CVE-2026-49214
was published
for
guzzlehttp/psr7
(Composer)
Jun 11, 2026
Net::IMAP: Command Injection via ID command argument
Moderate
CVE-2026-47242
was published
for
net-imap
(RubyGems)
Jun 9, 2026
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Moderate
CVE-2026-47240
was published
for
net-imap
(RubyGems)
Jun 9, 2026
Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names
Moderate
CVE-2026-45070
was published
for
symfony/mime
(Composer)
May 27, 2026
Netty Redis Codec Encoder has a CRLF Injection Issue
Moderate
CVE-2026-42586
was published
for
io.netty:netty-codec-redis
(Maven)
May 7, 2026
sse-channel: SSE Injection via unsanitized event fields
Moderate
CVE-2026-44217
was published
for
sse-channel
(npm)
May 5, 2026
AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing
Moderate
CVE-2026-43882
was published
for
wwbn/avideo
(Composer)
May 5, 2026
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection
Moderate
CVE-2026-41417
was published
for
io.netty:netty-codec-http
(Maven)
May 5, 2026
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
Moderate
CVE-2026-42037
was published
for
axios
(npm)
May 5, 2026
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Moderate
CVE-2026-42257
was published
for
net-imap
(RubyGems)
May 4, 2026
net-imap vulnerable to command Injection via unvalidated Symbol inputs
Moderate
CVE-2026-42258
was published
for
net-imap
(RubyGems)
May 4, 2026
ProTip!
Advisories are also available from the
GraphQL API