Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,479
Maven
5,000+
npm
5,000+
NuGet
886
pip
4,740
Pub
13
RubyGems
1,031
Rust
1,225
Swift
53
Unreviewed advisories
All unreviewed
5,000+

49 advisories

Loading
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits Moderate
CVE-2026-40148 was published for PraisonAI (pip) Apr 10, 2026
offset Credited to offset
Duplicate Advisory: Unfurl's unbounded zlib decompression allows decompression bomb DoS High
GHSA-c3f2-qg8v-25q2 was published for dfir-unfurl (pip) Apr 9, 2026 withdrawn
JWCrypto: JWE ZIP decompression bomb Moderate
CVE-2026-39373 was published for jwcrypto (pip) Apr 8, 2026
hkmj19 Credited to hkmj19
Mattermost doesn't validate decompressed archive entry sizes during file extraction Moderate
CVE-2026-3114 was published for github.com/mattermost/mattermost/server/v8 (Go) Mar 26, 2026
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2... Moderate Unreviewed
CVE-2026-32044 was published Mar 21, 2026
PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS Moderate
GHSA-vrqm-gvq7-rrwh was published for @pdfme/pdf-lib (npm) Mar 20, 2026
offset Credited to offset
Keycloak: Denial of Service due to excessive SAMLRequest decompression Moderate
CVE-2026-2575 was published for org.keycloak:keycloak-saml-adapter-core (Maven) Mar 18, 2026
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry Moderate
CVE-2026-32630 was published for file-type (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression High
CVE-2026-1526 was published for undici (npm) Mar 13, 2026
HO-9 Credited to HO-9, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS) Moderate
GHSA-77hf-7fqf-f227 was published for openclaw (npm) Mar 3, 2026
GCXWLP Credited to GCXWLP
psd-tools: Compression module has unguarded zlib decompression, missing dimension validation, and hardening gaps Moderate
CVE-2026-27809 was published for psd-tools (pip) Feb 26, 2026
Sliver has Potential Zip Bomb Denial of Service in GzipEncoder High
GHSA-2phg-qgmm-r638 was published for github.com/BishopFox/sliver (Go) Feb 25, 2026
Cycloctane Credited to Cycloctane
nats-server websockets are vulnerable to pre-auth memory DoS Moderate
CVE-2026-27571 was published for github.com/nats-io/nats-server (Go) Feb 24, 2026
Unfurl's unbounded zlib decompression allows decompression bomb DoS High
CVE-2026-40036 was published for dfir-unfurl (pip) Jan 29, 2026
mobasi-team Credited to mobasi-team
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint Moderate
CVE-2025-59472 was published for next (npm) Jan 28, 2026
cylewaitforit Credited to cylewaitforit and jesvinjames jesvinjames jesvinjames
GuardDog Zip Bomb Vulnerability in safe_extract() Allows DoS High
CVE-2026-22870 was published for guarddog (pip) Jan 13, 2026
dwBruijn Credited to dwBruijn
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API) High
CVE-2026-21441 was published for urllib3 (pip) Jan 7, 2026
D47A Credited to D47A, illia-v, pquentin, and sethmlarson illia-v illia-v
pquentin pquentin sethmlarson sethmlarson
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb High
CVE-2025-69223 was published for aiohttp (pip) Jan 5, 2026
charleswhchan Credited to charleswhchan and bdraco bdraco bdraco
Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an image decompression bomb denial... High Unreviewed
CVE-2025-66909 was published Dec 19, 2025
Duplicate Advisory: python-jose denial of service via compressed JWE content Moderate
CVE-2024-29370 was published for python-jose (pip) Dec 17, 2025 withdrawn
urllib3 streaming API improperly handles highly compressed data High
CVE-2025-66471 was published for urllib3 (pip) Dec 5, 2025
illia-v Credited to illia-v, pquentin, sethmlarson, Cycloctane, and stamparm pquentin pquentin
sethmlarson sethmlarson Cycloctane Cycloctane stamparm stamparm
pypdf's LZWDecode streams be manipulated to exhaust RAM Moderate
CVE-2025-66019 was published for pypdf (pip) Nov 24, 2025
aydinnyunus Credited to aydinnyunus and stefan6419846 stefan6419846 stefan6419846
An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the \libs... Moderate Unreviewed
CVE-2025-63914 was published Nov 24, 2025
pypdf can exhaust RAM via manipulated LZWDecode streams Moderate
CVE-2025-62708 was published for pypdf (pip) Oct 22, 2025
tylzh97 Credited to tylzh97 and stefan6419846 stefan6419846 stefan6419846
ProcessWire CMS vulnerable to resource-exhaustion Denial of Service Moderate
CVE-2025-60790 was published for processwire/processwire (Composer) Oct 21, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database