Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

181 advisories

Loading
Wasmtime: Memory leak in C API with `externref` and `anyref` types Low
CVE-2025-61670 was published for wasmtime-bin (pip) Jul 14, 2026
alexcrichton Credited to alexcrichton
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path Low
GHSA-cwv4-h3j5-w3cf was published for rama (Rust) Jul 7, 2026
chaitanyagarware Credited to chaitanyagarware
cut: -s ignored in -z -d '' newline-delimiter mode Low
CVE-2026-35381 was published for uu_cut (Rust) Jul 6, 2026
mknod: Device nodes created mislabeled on SELinux, with broken cleanup (remove_dir on a node) Low
CVE-2026-35361 was published for uu_mknod (Rust) Jul 6, 2026
uucore: safe_traversal TOCTOU protection only enabled on Linux Low
CVE-2026-35362 was published for uucore (Rust) Jul 6, 2026
mkdir: -m exposes directory with umask perms before chmod (race window) Low
CVE-2026-35353 was published for uu_mkdir (Rust) Jul 6, 2026
id: pretty-print uses effective GID instead of effective UID for name lookup Low
CVE-2026-35371 was published for uu_id (Rust) Jul 6, 2026
cut: -s (only-delimited) ignored when delimiter is a newline Low
CVE-2026-35343 was published for uu_cut (Rust) Jul 6, 2026
ln: rejects non-UTF-8 source filenames in target-directory mode Low
CVE-2026-35373 was published for uu_ln (Rust) Jul 6, 2026
comm: lossy UTF-8 conversion silently corrupts non-UTF-8 output Low
CVE-2026-35346 was published for uu_comm (Rust) Jul 6, 2026
mktemp: empty TMPDIR creates temp files in CWD instead of /tmp Low
CVE-2026-35342 was published for uu_mktemp (Rust) Jul 6, 2026
Zebra has pre-handshake buffer capacity reservation based on attacker-claimed body length Low
GHSA-h72h-ppcx-998p was published for zebra-network (Rust) Jul 2, 2026
ouicate Credited to ouicate and oxarbitrage oxarbitrage oxarbitrage
zebrad vulnerable to getblocks/getheaders locator CPU amplification via uncapped vector length Low
GHSA-443g-gwgp-49x4 was published for zebra-chain (Rust) Jul 2, 2026
dingledropper Credited to dingledropper, mpguerra, and oxarbitrage mpguerra mpguerra
oxarbitrage oxarbitrage
Cargo can be coerced to share credentials between registries Low
CVE-2026-5222 was published for cargo (Rust) Jun 26, 2026
christos-spearbit Credited to christos-spearbit, arlosi, weihanglo, ehuss, emilyalbini, cuviper, and Manishearth arlosi arlosi
weihanglo weihanglo ehuss ehuss emilyalbini emilyalbini cuviper cuviper Manishearth Manishearth
fixurjavainstall: Previous Fuji versions can accidentally wipe `/usr/share/man/man8` Low
GHSA-fq3w-p4fg-mw73 was published for fixurjavainstall (Rust) Jun 25, 2026
EpicVon2468 Credited to EpicVon2468
diesel-async may expose uninitialized padding bytes for MySQL temporal columns Low
GHSA-ff9q-rm55-q7qr was published for diesel-async (Rust) May 7, 2026
paolobarbolini Credited to paolobarbolini
Kanidm has non-constant-time comparison of OAuth2 client_secret Low
GHSA-53hj-r94p-8c8f was published for kanidm (Rust) May 6, 2026
mbarbero Credited to mbarbero
webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed Low
GHSA-22w3-693w-x895 was published for webauthn-authenticator-rs (Rust) May 6, 2026
dorakemon Credited to dorakemon
rpassword affected by partial password reveal when input is interrupted Low
GHSA-2p6r-x3vv-xqm2 was published for rpassword (Rust) May 6, 2026
DevLaTron Credited to DevLaTron and squell squell squell
astral-tokio-tar: `unpack_in` can chmod arbitrary directories by following symlinks Low
GHSA-xx64-wwv2-hcqq was published for astral-tokio-tar (Rust) May 6, 2026
LawnGnome Credited to LawnGnome and woodruffw woodruffw woodruffw
sequoia-git has broken hard revocation handling Low
GHSA-g27r-r6ph-vf5r was published for sequoia-git (Rust) May 4, 2026
nimiq-transaction: Panic via `HistoryTreeProof` length mismatch Low
CVE-2026-34067 was published for nimiq-transaction (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
Duplicate Advisory: uutils coreutils has an Improper Handling of Unicode Encoding Issue Low
GHSA-xh5h-p8c5-4w4x was published for coreutils (Rust) Apr 22, 2026 withdrawn
Duplicate Advisory: uutils coreutils's User Interface (UI) Misrepresents Critical Information Low
GHSA-53gr-wmf4-8hh3 was published for coreutils (Rust) Apr 22, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API