OSV - Open Source Vulnerabilities

GHSA-2wvh-87g2-89hr

RubyGems/openc3

OpenC3 COSMOS: Permissions Bypass Provides User Access to Unassigned Administrative Actions via Script Runner Tool

1 hour ago

Fix available
Severity - 9.6 (Critical)

GHSA-v529-vhwc-wfc5

RubyGems/openc3

OpenC3 COSMOS has SQL Injection in QuestDB Time-Series Database

1 hour ago

Fix available
Severity - 9.6 (Critical)

GHSA-ffq5-qpvf-xq7x

RubyGems/openc3

OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender

17 hours ago

Fix available
Severity - 4.6 (Medium)

GHSA-4jvx-93h3-f45h

RubyGems/openc3

OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames

17 hours ago

Fix available
Severity - 4.3 (Medium)

GHSA-wgx6-g857-jjf7

RubyGems/openc3

OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence

17 hours ago

Fix available
Severity - 8.1 (High)

GHSA-3jfp-46x4-xgfj

RubyGems/yard

yard: Possible arbitrary path traversal and file access via yard server

5 days ago

Fix available
Severity - 6.9 (Medium)

GHSA-g857-hhfv-j68w

RubyGems/zlib

Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption

6 days ago

Fix available
Severity - 5.9 (Medium)

MAL-2026-2815

RubyGems/monolith-twirp-pullsd-authorization

Malicious code in monolith-twirp-pullsd-authorization (RubyGems)

16 Apr

No fix available

MAL-2026-2816

RubyGems/monolith-twirp-pullsd-users

Malicious code in monolith-twirp-pullsd-users (RubyGems)

16 Apr

No fix available

MAL-2026-2814

RubyGems/gitlab-orchestrator

Malicious code in gitlab-orchestrator (RubyGems)

16 Apr

No fix available

GHSA-2x79-gwq3-vxxm

RubyGems/iodine

Uncontrolled resource consumption and loop with unreachable exit condition in facil.io and downstream iodine ruby gem

14 Apr

No fix available
Severity - 8.7 (High)

GHSA-w5xj-99cg-rccm

RubyGems/decidim-core

Decidim amendments can be accepted or rejected by anyone

14 Apr

Fix available
Severity - 7.5 (High)

GHSA-9pm8-vwc5-w2hm

RubyGems/fat_free_crm

Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID

14 Apr

Fix available
Severity - 2.1 (Low)

GHSA-fc46-r95f-hq7g

RubyGems/decidim-core

Decidim has a cross-site scripting (XSS) in user name

13 Apr

Fix available
Severity - 9.3 (Critical)

GHSA-9hfr-gw99-8rhx

RubyGems/bsv-sdk

bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts

09 Apr

Fix available
Severity - 7.5 (High)

GHSA-hc36-c89j-5f4j

RubyGems/bsv-sdk
RubyGems/bsv-wallet

bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)

09 Apr

Fix available
Severity - 8.1 (High)