Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

55 advisories

Loading
Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend Moderate
CVE-2026-44018 was published for docling (pip) Jun 3, 2026
brodmart Credited to brodmart
ExifReader is vulnerable to denial of service via unbounded decompression of image metadata Moderate
CVE-2026-8814 was published for exifreader (npm) May 29, 2026
yuki-matsuhashi Credited to yuki-matsuhashi
CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression Moderate
CVE-2026-44981 was published for github.com/crowdsecurity/crowdsec (Go) May 27, 2026
davide-s-rosa Credited to davide-s-rosa
cowlib: Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame High
CVE-2026-43970 was published for cowlib (Erlang) May 13, 2026
Klever-Go MultiDataInterceptor has remote OOM via crafted compressed P2P payload High
CVE-2026-44697 was published for github.com/klever-io/klever-go (Go) May 13, 2026
fbsobreira Credited to fbsobreira
urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API High
CVE-2026-44432 was published for urllib3 (pip) May 11, 2026
kimkou2024 Credited to kimkou2024, Cycloctane, illia-v, and pquentin Cycloctane Cycloctane
illia-v illia-v pquentin pquentin
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits Moderate
CVE-2026-40148 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
Duplicate Advisory: Unfurl's unbounded zlib decompression allows decompression bomb DoS High
GHSA-c3f2-qg8v-25q2 was published for dfir-unfurl (pip) Apr 9, 2026 withdrawn
JWCrypto: JWE ZIP decompression bomb Moderate
CVE-2026-39373 was published for jwcrypto (pip) Apr 8, 2026
hkmj19 Credited to hkmj19
Mattermost doesn't validate decompressed archive entry sizes during file extraction Moderate
CVE-2026-3114 was published for github.com/mattermost/mattermost/server/v8 (Go) Mar 26, 2026
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2... Moderate Unreviewed
CVE-2026-32044 was published Mar 21, 2026
PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS Moderate
GHSA-vrqm-gvq7-rrwh was published for @pdfme/pdf-lib (npm) Mar 20, 2026
offset Credited to offset
Keycloak: Denial of Service due to excessive SAMLRequest decompression Moderate
CVE-2026-2575 was published for org.keycloak:keycloak-saml-adapter-core (Maven) Mar 18, 2026
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry Moderate
CVE-2026-32630 was published for file-type (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression High
CVE-2026-1526 was published for undici (npm) Mar 13, 2026
HO-9 Credited to HO-9, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS) Moderate
GHSA-77hf-7fqf-f227 was published for openclaw (npm) Mar 3, 2026
GCXWLP Credited to GCXWLP
psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps Moderate
CVE-2026-27809 was published for psd-tools (pip) Feb 26, 2026
Sliver has Potential Zip Bomb Denial of Service in GzipEncoder High
GHSA-2phg-qgmm-r638 was published for github.com/BishopFox/sliver (Go) Feb 25, 2026
Cycloctane Credited to Cycloctane
nats-server websockets are vulnerable to pre-auth memory DoS Moderate
CVE-2026-27571 was published for github.com/nats-io/nats-server (Go) Feb 24, 2026
Unfurl's unbounded zlib decompression allows decompression bomb DoS High
CVE-2026-40036 was published for dfir-unfurl (pip) Jan 29, 2026
mobasi-team Credited to mobasi-team
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint Moderate
CVE-2025-59472 was published for next (npm) Jan 28, 2026
cylewaitforit Credited to cylewaitforit and jesvinjames jesvinjames jesvinjames
GuardDog Zip Bomb Vulnerability in safe_extract() Allows DoS High
CVE-2026-22870 was published for guarddog (pip) Jan 13, 2026
dwBruijn Credited to dwBruijn
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API) High
CVE-2026-21441 was published for urllib3 (pip) Jan 7, 2026
D47A Credited to D47A, illia-v, pquentin, and sethmlarson illia-v illia-v
pquentin pquentin sethmlarson sethmlarson
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb High
CVE-2025-69223 was published for aiohttp (pip) Jan 5, 2026
charleswhchan Credited to charleswhchan and bdraco bdraco bdraco
Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an image decompression bomb denial... High Unreviewed
CVE-2025-66909 was published Dec 19, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database