{"source":"ghsa-rubygems","note":"Free 5-item preview. The full feed is $0.05/call at GET /v1/ghsa-rubygems/changes.","question":"Which new GitHub security advisories affecting RubyGems/Ruby packages were published since T, and how severe are they?","sample":[{"source":"ghsa-rubygems","entityId":"ghsa:GHSA-m6vc-f87m-cc2h","type":"advisory","title":"GHSA-m6vc-f87m-cc2h / CVE-2026-44476: Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret","summary":"MEDIUM severity. Affected: doorkeeper-openid_connect.","significance":5,"detectedAt":"2026-07-14T22:21:20.444Z","effectiveDate":"2026-06-04T14:37:11Z","sourceUrl":"https://github.com/advisories/GHSA-m6vc-f87m-cc2h","detail":{"severity":"medium","cve":"CVE-2026-44476","packages":"doorkeeper-openid_connect","cvss":null}},{"source":"ghsa-rubygems","entityId":"ghsa:GHSA-xf4v-w5x5-pv79","type":"advisory","title":"GHSA-xf4v-w5x5-pv79: Spree: CSV Formula Injection in Customer Export","summary":"MEDIUM severity. Affected: spree, spree, spree.","significance":5,"detectedAt":"2026-07-14T22:21:20.444Z","effectiveDate":"2026-06-04T18:46:04Z","sourceUrl":"https://github.com/advisories/GHSA-xf4v-w5x5-pv79","detail":{"severity":"medium","cve":null,"packages":"spree, spree, spree","cvss":null}},{"source":"ghsa-rubygems","entityId":"ghsa:GHSA-qpgp-93vx-g8v8","type":"advisory","title":"GHSA-qpgp-93vx-g8v8 / CVE-2026-47736: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion","summary":"HIGH severity. Affected: puma, puma.","significance":8,"detectedAt":"2026-07-14T22:21:20.444Z","effectiveDate":"2026-06-08T23:55:44Z","sourceUrl":"https://github.com/advisories/GHSA-qpgp-93vx-g8v8","detail":{"severity":"high","cve":"CVE-2026-47736","packages":"puma, puma","cvss":7.5}},{"source":"ghsa-rubygems","entityId":"ghsa:GHSA-2vqw-3mp8-cgmx","type":"advisory","title":"GHSA-2vqw-3mp8-cgmx / CVE-2026-47737: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections","summary":"HIGH severity. Affected: puma, puma.","significance":8,"detectedAt":"2026-07-14T22:21:20.444Z","effectiveDate":"2026-06-09T00:09:44Z","sourceUrl":"https://github.com/advisories/GHSA-2vqw-3mp8-cgmx","detail":{"severity":"high","cve":"CVE-2026-47737","packages":"puma, puma","cvss":7.5}},{"source":"ghsa-rubygems","entityId":"ghsa:GHSA-8p34-64r3-mwg8","type":"advisory","title":"GHSA-8p34-64r3-mwg8 / CVE-2026-47240: Net::IMAP: Command Injection via non-synchronizing literal in \"raw\" argument","summary":"MEDIUM severity. Affected: net-imap, net-imap.","significance":5,"detectedAt":"2026-07-14T22:21:20.444Z","effectiveDate":"2026-06-09T18:36:04Z","sourceUrl":"https://github.com/advisories/GHSA-8p34-64r3-mwg8","detail":{"severity":"medium","cve":"CVE-2026-47240","packages":"net-imap, net-imap","cvss":null}}]}