diff --git a/gems/mpxj/CVE-2024-49771.yml b/gems/mpxj/CVE-2024-49771.yml
new file mode 100644
index 0000000000..b83343a9af
--- /dev/null
+++ b/gems/mpxj/CVE-2024-49771.yml
@@ -0,0 +1,35 @@
+---
+gem: mpxj
+cve: 2024-49771
+ghsa: j945-c44v-97g6
+url: https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
+title: MPXJ has a Potential Path Traversal Vulnerability
+date: 2024-10-28
+description: |
+  ### Impact
+
+  The patch for the historical vulnerability CVE-2020-35460 in MPXJ
+  is incomplete as there is still a possibility that a malicious path
+  could be constructed which would not be picked up by the original
+  fix and allow files to be written to arbitrary locations.
+
+  ### Patches
+
+  The issue is addressed in MPXJ version 13.5.1
+
+  ### Workarounds
+
+  Do not pass zip files to MPXJ.
+
+  ### References
+  N/A
+cvss_v3: 5.3
+unaffected_versions:
+  - "< 8.3.5"
+patched_versions:
+  - ">= 13.5.1"
+related:
+  url:
+    - https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
+    - https://github.com/joniles/mpxj/commit/8002802890dfdc8bc74259f37e053e15b827eea0
+    - https://github.com/advisories/GHSA-j945-c44v-97g6
diff --git a/gems/rexml/CVE-2024-49761.yml b/gems/rexml/CVE-2024-49761.yml
new file mode 100644
index 0000000000..41ae2527cd
--- /dev/null
+++ b/gems/rexml/CVE-2024-49761.yml
@@ -0,0 +1,40 @@
+---
+gem: rexml
+cve: 2024-49761
+ghsa: 2rxp-v6pw-ch6m
+url: https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
+title: REXML ReDoS vulnerability
+date: 2024-10-28
+description: |
+  ## Impact
+
+  The REXML gem before 3.3.9 has a ReDoS vulnerability when it
+  parses an XML that has many digits between `&#` and `x...;`
+  in a hex numeric character reference (`&#x...;`).
+
+  This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only
+  affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.
+
+  ## Patches
+
+  The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
+
+  ## Workarounds
+
+  Use Ruby 3.2 or later instead of Ruby 3.1.
+
+  ## References
+
+  * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
+    * Announced on www.ruby-lang.org.
+cvss_v4: 6.6
+patched_versions:
+  - ">= 3.3.9"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-49761
+    - https://github.com/ruby/rexml/releases/tag/v3.3.9
+    - https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
+    - https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
+    - https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761
+    - https://github.com/advisories/GHSA-2rxp-v6pw-ch6m