Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

446 advisories

Loading
oras-go has file store write outside workingDir via symlink traversal Moderate
CVE-2026-50162 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
1seal Credited to 1seal
EasyAdminBundle has path traversal and reflected XSS in Flag and Icon Twig components Moderate
GHSA-2wwr-9x6f-88gp was published for easycorp/easyadmin-bundle (Composer) Jul 1, 2026
pnpm: `patch-remove` could delete project-selected files outside the patches directory High
GHSA-72r4-9c5j-mj57 was published for pnpm (npm) Jun 27, 2026
pnpm: Hoisted install imports lockfile alias outside node_modules High
GHSA-fr4h-3cph-29xv was published for pnpm (npm) Jun 27, 2026
pnpm: Reserved bin name deletes PNPM_HOME during global remove Moderate
CVE-2026-55699 was published for pnpm (npm) Jun 26, 2026
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles Low
CVE-2026-49358 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
Incus has an arbitrary file write via path traversal in S3 multipart upload Critical
CVE-2026-48753 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has arbitrary file read+write on host via templates/ symlink in malicious image Critical
CVE-2026-48752 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file write on host via `exec-output` symlink in crafted image Critical
CVE-2026-48750 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
Incus has an arbitrary file read+write on host via rootfs/ symlink in malicious image Critical
CVE-2026-48749 was published for github.com/lxc/incus/v7/cmd/incusd (Go) Jun 26, 2026
antifob Credited to antifob and stgraber stgraber stgraber
OctoPrint has possible file exfiltration via query parameters on upload endpoints High
CVE-2026-54134 was published for OctoPrint (pip) Jun 23, 2026
seankohjs Credited to seankohjs and jacopotediosi jacopotediosi jacopotediosi
Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning High
GHSA-2fmp-9rvw-hc96 was published for network-ai (npm) Jun 19, 2026
sondt99 Credited to sondt99
Entire CLI: Path traversal in checkpoint session metadata allows arbitrary file write during resume/rewind Moderate
GHSA-2h46-9x5w-4wf7 was published for github.com/entireio/cli (Go) Jun 19, 2026
nskath Credited to nskath
ProTip! Advisories are also available from the GraphQL API