GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,493 advisories
Filter by severity
Wasmtime: Memory leak in C API with `externref` and `anyref` types
Low
CVE-2025-61670
was published
for
wasmtime-bin
(pip)
Jul 14, 2026
`exploration` was removed from crates.io for malicious code
Critical
GHSA-99j7-fhr2-xfj4
was published
for
exploration
(Rust)
Jul 10, 2026
Windmill: Resource-scoped API tokens can read script contents outside their allowed path via scripts/list_search
Moderate
CVE-2026-54136
was published
for
windmill-api
(Rust)
Jul 10, 2026
Rattler vulnerable to package cache path traversal via conda package build string
Moderate
CVE-2026-53956
was published
for
py_rattler
(pip)
Jul 9, 2026
OneRingBuf has a Use After Free Vulnerability
Moderate
GHSA-q95x-7g78-rccv
was published
for
oneringbuf
(Rust)
Jul 8, 2026
async-tar PAX extension-header desync enables tar entry/content smuggling
Moderate
CVE-2026-53600
was published
for
async-tar
(Rust)
Jul 8, 2026
wasmtime-wasi: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction
High
CVE-2026-47261
was published
for
wasmtime-wasi
(Rust)
Jun 5, 2026
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path
Low
GHSA-cwv4-h3j5-w3cf
was published
for
rama
(Rust)
Jul 7, 2026
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort)
Moderate
CVE-2026-53531
was published
for
ratex-parser
(Rust)
Jul 7, 2026
ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice)
High
CVE-2026-53530
was published
for
ratex-parser
(Rust)
Jul 7, 2026
uutils coreutils: cp/install/mv/ln --suffix alone does not enable backup mode (silent data loss vs GNU)
High
GHSA-fqf6-gxhh-2xhw
was published
for
uucore
(Rust)
Jul 7, 2026
cut: -s ignored in -z -d '' newline-delimiter mode
Low
CVE-2026-35381
was published
for
uu_cut
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has an Incorrect Provision of Specified Functionality Issue in its cut Utility
Low
GHSA-532v-xp3f-837c
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
mknod: Device nodes created mislabeled on SELinux, with broken cleanup (remove_dir on a node)
Low
CVE-2026-35361
was published
for
uu_mknod
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has an Improper Preservation of Permissions issue
Low
GHSA-79rc-qpw3-jv92
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
mkfifo: permissions of an existing file are changed after FIFO creation fails
High
CVE-2026-35341
was published
for
uu_mkfifo
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils allows unauthorized modification of permissions on existing files
High
GHSA-w8m4-4v35-v6x3
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
Zebra: Missing copy constraint in halo2_gadgets variable-base scalar multiplication allows under-constrained base, breaking Orchard Action circuit soundness
Critical
CVE-2026-54496
was published
for
halo2_gadgets
(Rust)
Jul 6, 2026
printenv: environment variables with invalid UTF-8 are silently skipped (evades inspection)
Moderate
CVE-2026-35366
was published
for
uu_printenv
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has an Improper Check for Unusual or Exceptional Conditions
Moderate
GHSA-7259-cwhx-3xx3
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
uucore: safe_traversal TOCTOU protection only enabled on Linux
Low
CVE-2026-35362
was published
for
uucore
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
Low
GHSA-ggc5-46rg-mr4v
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication)
Moderate
CVE-2026-35365
was published
for
uu_mv
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Link Following issue
Moderate
GHSA-66fx-fqv6-5wwx
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
cp: -R reads device nodes as streams, destroying device semantics
Moderate
CVE-2026-35358
was published
for
uu_cp
(Rust)
Jul 6, 2026
ProTip!
Advisories are also available from the
GraphQL API