GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
41 advisories
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits
Moderate
CVE-2026-40148
was published
for
PraisonAI
(pip)
Apr 10, 2026
JWCrypto: JWE ZIP decompression bomb
Moderate
CVE-2026-39373
was published
for
jwcrypto
(pip)
Apr 8, 2026
PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS
Moderate
GHSA-vrqm-gvq7-rrwh
was published
for
@pdfme/pdf-lib
(npm)
Mar 20, 2026
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry
Moderate
CVE-2026-32630
was published
for
file-type
(npm)
Mar 13, 2026
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
High
CVE-2026-1526
was published
for
undici
(npm)
Mar 13, 2026
OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS)
Moderate
GHSA-77hf-7fqf-f227
was published
for
openclaw
(npm)
Mar 3, 2026
Sliver has Potential Zip Bomb Denial of Service in GzipEncoder
High
GHSA-2phg-qgmm-r638
was published
for
github.com/BishopFox/sliver
(Go)
Feb 25, 2026
Unfurl's unbounded zlib decompression allows decompression bomb DoS
High
CVE-2026-40036
was published
for
dfir-unfurl
(pip)
Jan 29, 2026
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint
Moderate
CVE-2025-59472
was published
for
next
(npm)
Jan 28, 2026
GuardDog Zip Bomb Vulnerability in safe_extract() Allows DoS
High
CVE-2026-22870
was published
for
guarddog
(pip)
Jan 13, 2026
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
High
CVE-2026-21441
was published
for
urllib3
(pip)
Jan 7, 2026
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
High
CVE-2025-69223
was published
for
aiohttp
(pip)
Jan 5, 2026
urllib3 streaming API improperly handles highly compressed data
High
CVE-2025-66471
was published
for
urllib3
(pip)
Dec 5, 2025
pypdf's LZWDecode streams be manipulated to exhaust RAM
Moderate
CVE-2025-66019
was published
for
pypdf
(pip)
Nov 24, 2025
pypdf can exhaust RAM via manipulated LZWDecode streams
Moderate
CVE-2025-62708
was published
for
pypdf
(pip)
Oct 22, 2025
Netty's decoders vulnerable to DoS via zip bomb style attack
Moderate
CVE-2025-58057
was published
for
io.netty:netty-codec
(Maven)
Sep 3, 2025
Mobile Security Framework (MobSF) Allows Web Server Resource Exhaustion via ZIP of Death Attack
Moderate
CVE-2025-46730
was published
for
mobsf
(pip)
May 5, 2025
ProTip!
Advisories are also available from the
GraphQL API