OSV - Open Source Vulnerabilities

GHSA-w67g-2h6v-vjgq

RubyGems/phlex

Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

2 days ago

Fix available
Severity - 7.1 (High)

GHSA-87fh-rc96-6fr6

RubyGems/spree_api

Unauthenticated Spree Commerce users can access all guest addresses

3 days ago

Fix available
Severity - 7.7 (High)

GHSA-p6pv-q7rc-g4h9

RubyGems/spree_storefront

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

3 days ago

Fix available
Severity - 7.7 (High)

GHSA-3cx6-j9j4-54mp

RubyGems/decidim
RubyGems/decidim-core

Decidim's private data exports can lead to data leaks

5 days ago

Fix available
Severity - 8.2 (High)

GHSA-2qxw-7fmx-gqfm

RubyGems/foreman_kubevirt

foreman_kubevirt disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set

02 Feb

Fix available
Severity - 8.1 (High)

GHSA-m3hq-3qj8-c5fm

RubyGems/fog-kubevirt

fog-kubevirt allows remote attacker to perform MITM attack due to disabled certificate validation

02 Feb

Fix available
Severity - 8.1 (High)

GHSA-2762-657x-v979

RubyGems/alchemy_cms

AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper

21 Jan

Fix available
Severity - 6.4 (Medium)

GHSA-mpwp-4h2m-765c

RubyGems/activejob

Active Job - Object injection security vulnerability

16 Jan

Fix available
Severity - 6.6 (Medium)

GHSA-5qw5-wf2q-f538

RubyGems/activerecord-jdbc-adapter

ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection

16 Jan

Fix available
Severity - 8.8 (High)

GHSA-w757-4qv9-mghp

RubyGems/openc3

openc3-api Vulnerable to Unauthenticated Remote Code Execution

13 Jan

Fix available
Severity - 10.0 (Critical)

GHSA-3ghg-3787-w2xr

RubyGems/spree_core

Spree API has Unauthenticated IDOR - Guest Address

08 Jan

Fix available
Severity - 7.5 (High)

GHSA-g268-72p7-9j6j

RubyGems/spree_api

Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification

08 Jan

Fix available
Severity - 6.5 (Medium)

GHSA-96qw-h329-v5rg

RubyGems/shakapacker
npm/shakapacker

Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles

08 Jan

Fix available
Severity - 7.5 (High)

GHSA-g9jg-w8vm-g96v

RubyGems/action_text-trix
npm/trix

Trix has a stored XSS vulnerability through its attachment attribute

31 Dec 2025

Fix available
Severity - 4.6 (Medium)

GHSA-j4pr-3wm6-xx2r

RubyGems/uri

URI Credential Leakage Bypass over CVE-2025-27221

30 Dec 2025

Fix available
Severity - 2.7 (Low)

GHSA-hm5p-x4rq-38w4

RubyGems/httparty

httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage

23 Dec 2025

Fix available
Severity - 7.8 (High)