Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

570 advisories

Loading
Lechu69 Credited to Lechu69
Rattler vulnerable to package cache path traversal via conda package build string Moderate
CVE-2026-53956 was published for py_rattler (pip) Jul 9, 2026
OneRingBuf has a Use After Free Vulnerability Moderate
GHSA-q95x-7g78-rccv was published for oneringbuf (Rust) Jul 8, 2026
async-tar PAX extension-header desync enables tar entry/content smuggling Moderate
CVE-2026-53600 was published for async-tar (Rust) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort) Moderate
CVE-2026-53531 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
printenv: environment variables with invalid UTF-8 are silently skipped (evades inspection) Moderate
CVE-2026-35366 was published for uu_printenv (Rust) Jul 6, 2026
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication) Moderate
CVE-2026-35365 was published for uu_mv (Rust) Jul 6, 2026
cp: -R reads device nodes as streams, destroying device semantics Moderate
CVE-2026-35358 was published for uu_cp (Rust) Jul 6, 2026
comm: FIFO/pipe inputs are drained before comparison (data loss / hang) Moderate
CVE-2026-35347 was published for uu_comm (Rust) Jul 6, 2026
id: groups= computed from real GID instead of effective GID Moderate
CVE-2026-35370 was published for uu_id (Rust) Jul 6, 2026
rm: --preserve-root bypassed via a symlink to / (string check instead of dev/inode) Moderate
CVE-2026-35349 was published for uu_rm (Rust) Jul 6, 2026
kill: 'kill -1' parsed as PID -1, sending SIGTERM to all processes (system crash / DoS) Moderate
CVE-2026-35369 was published for uu_kill (Rust) Jul 6, 2026
install -D: symlink race in directory creation allows arbitrary file overwrite Moderate
CVE-2026-35356 was published for uu_install (Rust) Jul 6, 2026
install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite Moderate
CVE-2026-35355 was published for uu_install (Rust) Jul 6, 2026
chmod: recursive mode returns exit code 0 even when some files fail (last-file-wins) Moderate
CVE-2026-35339 was published for uu_chmod (Rust) Jul 6, 2026
jxl-oxide: `FrameBuffer::new` creates out-of-bounds slices on overflow Moderate
GHSA-66m8-c62j-h6v5 was published for jxl-oxide (Rust) Jul 2, 2026
jxl-oxide: integer subtraction overflow panic in cluster_from_table via crafted JXL input (DoS) Moderate
GHSA-2v8p-fqpx-2q3w was published for jxl-modular (Rust) Jul 2, 2026
impost0r Credited to impost0r
AnticsDecoded Credited to AnticsDecoded and mpguerra mpguerra mpguerra
zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip Moderate
CVE-2026-52733 was published for zebra-state (Rust) Jul 2, 2026
dingledropper Credited to dingledropper, mpguerra, and upbqdn mpguerra mpguerra
upbqdn upbqdn
Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection Moderate
CVE-2026-52739 was published for zebra-state (Rust) Jul 2, 2026
Haxatron Credited to Haxatron, mpguerra, and conradoplg mpguerra mpguerra
conradoplg conradoplg
Zebra: Finalized address balance credit-first overflow on consensus-valid blocks Moderate
CVE-2026-52738 was published for zebra-state (Rust) Jul 2, 2026
sangsoo-osec Credited to sangsoo-osec, mpguerra, and oxarbitrage mpguerra mpguerra
oxarbitrage oxarbitrage
Zebra has sync restart poisoning from single unauthenticated peer via above-lookahead block Moderate
CVE-2026-52737 was published for zebra-consensus (Rust) Jul 2, 2026
ipwning Credited to ipwning, mpguerra, conradoplg, and oxarbitrage mpguerra mpguerra
conradoplg conradoplg oxarbitrage oxarbitrage
zebrad has mempool transaction admission denial via single-peer inbound queue saturation Moderate
CVE-2026-52732 was published for zebrad (Rust) Jul 2, 2026
dingledropper Credited to dingledropper, mpguerra, and oxarbitrage mpguerra mpguerra
oxarbitrage oxarbitrage
zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers Moderate
GHSA-c8w6-x74f-vmg3 was published for zebra-rpc (Rust) Jul 2, 2026
robustfengbin Credited to robustfengbin, mpguerra, and upbqdn mpguerra mpguerra
upbqdn upbqdn
ProTip! Advisories are also available from the GraphQL API