GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
570 advisories
Filter by severity
Windmill: Resource-scoped API tokens can read script contents outside their allowed path via scripts/list_search
Moderate
CVE-2026-54136
was published
for
windmill-api
(Rust)
Jul 10, 2026
Rattler vulnerable to package cache path traversal via conda package build string
Moderate
CVE-2026-53956
was published
for
py_rattler
(pip)
Jul 9, 2026
OneRingBuf has a Use After Free Vulnerability
Moderate
GHSA-q95x-7g78-rccv
was published
for
oneringbuf
(Rust)
Jul 8, 2026
async-tar PAX extension-header desync enables tar entry/content smuggling
Moderate
CVE-2026-53600
was published
for
async-tar
(Rust)
Jul 8, 2026
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort)
Moderate
CVE-2026-53531
was published
for
ratex-parser
(Rust)
Jul 7, 2026
printenv: environment variables with invalid UTF-8 are silently skipped (evades inspection)
Moderate
CVE-2026-35366
was published
for
uu_printenv
(Rust)
Jul 6, 2026
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication)
Moderate
CVE-2026-35365
was published
for
uu_mv
(Rust)
Jul 6, 2026
cp: -R reads device nodes as streams, destroying device semantics
Moderate
CVE-2026-35358
was published
for
uu_cp
(Rust)
Jul 6, 2026
rm: 'rm -rf ./' (and ./// variants) silently deletes current directory contents, bypassing dot protection
Moderate
CVE-2026-35363
was published
for
uu_rm
(Rust)
Jul 6, 2026
comm: FIFO/pipe inputs are drained before comparison (data loss / hang)
Moderate
CVE-2026-35347
was published
for
uu_comm
(Rust)
Jul 6, 2026
id: groups= computed from real GID instead of effective GID
Moderate
CVE-2026-35370
was published
for
uu_id
(Rust)
Jul 6, 2026
rm: --preserve-root bypassed via a symlink to / (string check instead of dev/inode)
Moderate
CVE-2026-35349
was published
for
uu_rm
(Rust)
Jul 6, 2026
kill: 'kill -1' parsed as PID -1, sending SIGTERM to all processes (system crash / DoS)
Moderate
CVE-2026-35369
was published
for
uu_kill
(Rust)
Jul 6, 2026
install -D: symlink race in directory creation allows arbitrary file overwrite
Moderate
CVE-2026-35356
was published
for
uu_install
(Rust)
Jul 6, 2026
install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite
Moderate
CVE-2026-35355
was published
for
uu_install
(Rust)
Jul 6, 2026
chmod: recursive mode returns exit code 0 even when some files fail (last-file-wins)
Moderate
CVE-2026-35339
was published
for
uu_chmod
(Rust)
Jul 6, 2026
jxl-oxide: `FrameBuffer::new` creates out-of-bounds slices on overflow
Moderate
GHSA-66m8-c62j-h6v5
was published
for
jxl-oxide
(Rust)
Jul 2, 2026
jxl-oxide: integer subtraction overflow panic in cluster_from_table via crafted JXL input (DoS)
Moderate
GHSA-2v8p-fqpx-2q3w
was published
for
jxl-modular
(Rust)
Jul 2, 2026
zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention
Moderate
CVE-2026-52734
was published
for
zebrad
(Rust)
Jul 2, 2026
zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip
Moderate
CVE-2026-52733
was published
for
zebra-state
(Rust)
Jul 2, 2026
Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection
Moderate
CVE-2026-52739
was published
for
zebra-state
(Rust)
Jul 2, 2026
Zebra: Finalized address balance credit-first overflow on consensus-valid blocks
Moderate
CVE-2026-52738
was published
for
zebra-state
(Rust)
Jul 2, 2026
Zebra has sync restart poisoning from single unauthenticated peer via above-lookahead block
Moderate
CVE-2026-52737
was published
for
zebra-consensus
(Rust)
Jul 2, 2026
zebrad has mempool transaction admission denial via single-peer inbound queue saturation
Moderate
CVE-2026-52732
was published
for
zebrad
(Rust)
Jul 2, 2026
zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers
Moderate
GHSA-c8w6-x74f-vmg3
was published
for
zebra-rpc
(Rust)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API