Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,746
Maven
5,000+
npm
4,350
NuGet
765
pip
4,114
Pub
12
RubyGems
960
Rust
1,069
Swift
45
Unreviewed advisories
All unreviewed
5,000+

39 advisories

Filter by severity
All severities
Low
Moderate
High
Critical
Loading
Ash has authorization bypass when bypass policy condition evaluates to true High
CVE-2025-48044 was published for ash (Erlang) Oct 17, 2025
jecholmaennchen
zachdaniel
Credited to jechol, maennchen, and zachdaniel
Ash Framework: Filter authorization misapplies impossible bypass/runtime policies High
CVE-2025-48043 was published for ash (Erlang) Oct 13, 2025
maennchenzachdaniel
Credited to maennchen and zachdaniel
Before action, Ash's hooks may execute in certain scenarios despite a request being forbidden High
CVE-2025-48042 was published for ash (Erlang) Sep 15, 2025
zachdanielmaennchen
Credited to zachdaniel and maennchen
ash_authentication_phoenix has Insufficient Session Expiration Low
CVE-2025-4754 was published for ash_authentication_phoenix (Erlang) Jun 17, 2025
jimsynzzachdaniel
mbuhotmaennchen
Credited to jimsynz, zachdaniel, mbuhot, and maennchen
Hackney fails to properly release HTTP connections to the pool Low
CVE-2025-3864 was published for hackney (Erlang) May 28, 2025
ash_authentication has email link auto-click account confirmation vulnerability Moderate
CVE-2025-32782 was published for ash_authentication (Erlang) Apr 14, 2025
zachdanieljimsynz
maennchenbarnabasJsevenseacat
Credited to zachdaniel, jimsynz, maennchen, barnabasJ, and sevenseacat
Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install` Moderate
CVE-2025-25202 was published for ash_authentication (Erlang) Feb 11, 2025
wilburyangzachdaniel
jimsynz
Credited to wilburyang, zachdaniel, and jimsynz
Server-side Request Forgery (SSRF) in hackney Low
CVE-2025-1211 was published for hackney (Erlang) Feb 11, 2025
benoitc
Credited to benoitc
RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission High
CVE-2024-51988 was published for rabbit_common (Erlang) Nov 6, 2024
bedlaanhanhnguyen
michaelklishin
Credited to bedla, anhanhnguyen, and michaelklishin
In AshPostgres, empty, atomic, non-bulk actions, policy bypass for side-effects vulnerability. Moderate
CVE-2024-49756 was published for ash_postgres (Erlang) Oct 23, 2024
maennchenrapidfsub
zachdaniel
Credited to maennchen, rapidfsub, and zachdaniel
OpenID Connect client Atom Exhaustion in provider configuration worker ets table location Moderate
CVE-2024-31209 was published for oidcc (Erlang) Apr 3, 2024
mohamedalikhechinerobertfiko
maennchenpaulswartzSAFE-Erlang-Elixir
Credited to mohamedalikhechine, robertfiko, maennchen, paulswartz, and SAFE-Erlang-Elixir
erlang-jose vulnerable to denial of service via large p2c value Moderate
CVE-2023-50966 was published for jose (Erlang) Mar 19, 2024
maennchen
Credited to maennchen
Samly access control vulnerability Critical
CVE-2024-25718 was published for Samly (Erlang) Feb 11, 2024
Pleroma Path Traversal vulnerability Low
CVE-2023-5588 was published for pleroma (Erlang) Oct 16, 2023
MTProto proxy remote code execution vulnerability High
CVE-2023-45312 was published for mtproto_proxy (Erlang) Oct 10, 2023
Pow Mnesia cache doesn't invalidate all expired keys on startup Moderate
CVE-2023-42446 was published for pow (Erlang) Sep 19, 2023
gVirtu
Credited to gVirtu
Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows High
CVE-2023-35174 was published for livebook (Erlang) Jun 21, 2023
maple3142
Credited to maple3142
phoenix_html allows Cross-site Scripting in HEEx class attributes Moderate
CVE-2021-46871 was published for phoenix_html (Erlang) Jan 10, 2023
Ecto lacks a protection mechanism Critical
CVE-2017-20166 was published for ecto (Erlang) Jan 10, 2023
Phoenix before 1.6.14 mishandles check_origin wildcarding High
CVE-2022-42975 was published for phoenix (Erlang) Oct 17, 2022
maennchen
Credited to maennchen
ecdsa-elixir fails to check signatures, vulnerable to message forging Critical
CVE-2021-43568 was published for ecdsa-elixir (Erlang) May 24, 2022
westonsteimel
Credited to westonsteimel
Pivotal RabbitMQ is vulnerable to a denial of service attack High
CVE-2019-11287 was published for RabbitMQ (Erlang) May 24, 2022
Cross-site Scripting in RabbitMQ Low
CVE-2019-11291 was published for rabbit_common (Erlang) May 24, 2022
Ejabberd DoS via malformed stanza Moderate
CVE-2011-4320 was published for ejabberd (Erlang) May 17, 2022
Erlang Solutions MongooseIM vulnerable to denial of service (DoS) via crafted XMPP stream High
CVE-2014-2829 was published for MongooseIM (Erlang) May 17, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database