Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

123 advisories

Loading
Cargo crates in third party registries can override the cached source of other crates Moderate
CVE-2026-5223 was published for cargo (Rust) Jun 26, 2026
christos-spearbit Credited to christos-spearbit, arlosi, emilyalbini, cuviper, and Manishearth arlosi arlosi
emilyalbini emilyalbini cuviper cuviper Manishearth Manishearth
A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile... Moderate Unreviewed
CVE-2026-13218 was published Jun 26, 2026
A flaw was found in KubeVirt's safepath package. The OpenAtNoFollow function uses O_PATH... Moderate Unreviewed
CVE-2026-13201 was published Jun 24, 2026
OpenTofu: Provider cache installation follows root-module-controlled package directory symlink and writes outside the working tree Moderate
GHSA-wcmj-x466-56mm was published for github.com/opentofu/opentofu (Go) Jun 23, 2026
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym Critical
CVE-2026-52811 was published for gogs.io/gogs (Go) Jun 23, 2026
amwhoi Credited to amwhoi
pwnlift before d7a9544, in a privileged deployment, contains a symlink following vulnerability in... High Unreviewed
CVE-2026-56815 was published Jun 23, 2026
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations Moderate
CVE-2026-41579 was published for github.com/opencontainers/runc (Go) Jun 22, 2026
mosskappa Credited to mosskappa and Dmanzella Dmanzella Dmanzella
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer Moderate
GHSA-wvrh-2f4m-924v was published for ChatterBot (pip) Jun 19, 2026
AAtomical Credited to AAtomical
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit Critical
CVE-2026-55447 was published for langflow (pip) Jun 19, 2026
vbCrLf Credited to vbCrLf, AntonioABLima, andifilhohub, erichare, and Adam-Aghili AntonioABLima AntonioABLima
andifilhohub andifilhohub erichare erichare Adam-Aghili Adam-Aghili
Arbitrary host CRI log file read via symlink following in CRI checkpoint restore High
CVE-2026-53489 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
gouldnicholas Credited to gouldnicholas, davidrxchester, sangwon090, robertprast, and Plucky923 davidrxchester davidrxchester
sangwon090 sangwon090 robertprast robertprast Plucky923 Plucky923
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284 Moderate
CVE-2026-12565 was published for bbot (pip) Jun 18, 2026
sondt99 Credited to sondt99
LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0)... High Unreviewed
CVE-2026-54420 was published Jun 14, 2026
This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia... Moderate Unreviewed
CVE-2025-43278 was published Jun 11, 2026
PDM: Project-Local State and Config Writes Follow Symlinks Moderate
CVE-2026-47763 was published for pdm (pip) Jun 10, 2026
xuemian168 Credited to xuemian168 and ZejiHui ZejiHui ZejiHui
skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion High
GHSA-wx3m-whqv-xv47 was published for skillctl (Rust) Jun 5, 2026
Docker: Race condition in docker cp allows bind mount redirection to host path High
CVE-2026-42306 was published for github.com/docker/docker (Go) May 18, 2026
vvoland Credited to vvoland
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap Moderate
CVE-2026-41568 was published for github.com/docker/docker (Go) May 18, 2026
manizada Credited to manizada and vvoland vvoland vvoland
Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload... High Unreviewed
CVE-2026-41937 was published May 14, 2026
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin... High Unreviewed
CVE-2026-6475 was published May 14, 2026
pgAdmin 4 File Manager has symbolic-link path traversal High
CVE-2026-7819 was published for pgadmin4 (pip) May 11, 2026
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing... High Unreviewed
CVE-2026-29203 was published May 8, 2026
astral-tokio-tar: `unpack_in` can chmod arbitrary directories by following symlinks Low
GHSA-xx64-wwv2-hcqq was published for astral-tokio-tar (Rust) May 6, 2026
LawnGnome Credited to LawnGnome and woodruffw woodruffw woodruffw
OpenClaw contains a symlink traversal vulnerability Moderate
CVE-2026-43570 was published for openclaw (npm) May 5, 2026
Kata Container has CopyFile Policy Subversion via Symlinks High
CVE-2026-41326 was published for github.com/kata-containers/kata-containers (Go) May 4, 2026
fitzthum Credited to fitzthum, calonso-nv, fikriwahab, burgerdev, danmihai1, jojimt, fidencio, and kodareef5 calonso-nv calonso-nv
fikriwahab fikriwahab burgerdev burgerdev danmihai1 danmihai1 jojimt jojimt fidencio fidencio kodareef5 kodareef5
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write High
CVE-2026-42275 was published for github.com/openziti/zrok (Go) Apr 25, 2026
bugbunny-research Credited to bugbunny-research
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database