OSV - Open Source Vulnerabilities

GHSA-qc5p-3mg5-9fh8

RubyGems/avo

Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources

6 days ago

Fix available
Severity - 8.8 (High)

GHSA-q339-8rmv-2mhv

RubyGems/erb

ERB has an @_init deserialization guard bypass via def_module / def_method / def_class

6 days ago

Fix available
Severity - 8.1 (High)

GHSA-2wvh-87g2-89hr

RubyGems/openc3

OpenC3 COSMOS: Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool

23 Apr

Fix available
Severity - 9.6 (Critical)

GHSA-v529-vhwc-wfc5

RubyGems/openc3

OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database

23 Apr

Fix available
Severity - 9.6 (Critical)

GHSA-ffq5-qpvf-xq7x

RubyGems/openc3

OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender

22 Apr

Fix available
Severity - 4.6 (Medium)

GHSA-4jvx-93h3-f45h

RubyGems/openc3

OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames

22 Apr

Fix available
Severity - 4.3 (Medium)

GHSA-wgx6-g857-jjf7

RubyGems/openc3

OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence

22 Apr

Fix available
Severity - 8.1 (High)

GHSA-3jfp-46x4-xgfj

RubyGems/yard

yard: Possible arbitrary path traversal and file access via yard server

17 Apr

Fix available
Severity - 6.9 (Medium)

GHSA-g857-hhfv-j68w

RubyGems/zlib

Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption

16 Apr

Fix available
Severity - 5.9 (Medium)

MAL-2026-2815

RubyGems/monolith-twirp-pullsd-authorization

Malicious code in monolith-twirp-pullsd-authorization (RubyGems)

16 Apr

No fix available

MAL-2026-2816

RubyGems/monolith-twirp-pullsd-users

Malicious code in monolith-twirp-pullsd-users (RubyGems)

16 Apr

No fix available

MAL-2026-2814

RubyGems/gitlab-orchestrator

Malicious code in gitlab-orchestrator (RubyGems)

16 Apr

No fix available

GHSA-2x79-gwq3-vxxm

RubyGems/iodine

Uncontrolled resource consumption and loop with unreachable exit condition in facil.io and downstream iodine ruby gem

14 Apr

No fix available
Severity - 8.7 (High)

GHSA-w5xj-99cg-rccm

RubyGems/decidim-core

Decidim amendments can be accepted or rejected by anyone

14 Apr

Fix available
Severity - 7.5 (High)

GHSA-9pm8-vwc5-w2hm

RubyGems/fat_free_crm

Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID

14 Apr

Fix available
Severity - 2.1 (Low)

GHSA-fc46-r95f-hq7g

RubyGems/decidim-core

Decidim has a cross-site scripting (XSS) in user name

13 Apr

Fix available
Severity - 9.3 (Critical)