Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

571 advisories

Loading
serde_with: KeyValueMap serialization panics on empty sequence or map entries Moderate
GHSA-7gcf-g7xr-8hxj was published for serde_with (Rust) Jul 15, 2026
7thParkk Credited to 7thParkk
Lechu69 Credited to Lechu69
Rattler vulnerable to package cache path traversal via conda package build string Moderate
CVE-2026-53956 was published for py_rattler (pip) Jul 9, 2026
OneRingBuf has a Use After Free Vulnerability Moderate
GHSA-q95x-7g78-rccv was published for oneringbuf (Rust) Jul 8, 2026
async-tar PAX extension-header desync enables tar entry/content smuggling Moderate
CVE-2026-53600 was published for async-tar (Rust) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort) Moderate
CVE-2026-53531 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
printenv: environment variables with invalid UTF-8 are silently skipped (evades inspection) Moderate
CVE-2026-35366 was published for uu_printenv (Rust) Jul 6, 2026
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication) Moderate
CVE-2026-35365 was published for uu_mv (Rust) Jul 6, 2026
cp: -R reads device nodes as streams, destroying device semantics Moderate
CVE-2026-35358 was published for uu_cp (Rust) Jul 6, 2026
comm: FIFO/pipe inputs are drained before comparison (data loss / hang) Moderate
CVE-2026-35347 was published for uu_comm (Rust) Jul 6, 2026
id: groups= computed from real GID instead of effective GID Moderate
CVE-2026-35370 was published for uu_id (Rust) Jul 6, 2026
rm: --preserve-root bypassed via a symlink to / (string check instead of dev/inode) Moderate
CVE-2026-35349 was published for uu_rm (Rust) Jul 6, 2026
kill: 'kill -1' parsed as PID -1, sending SIGTERM to all processes (system crash / DoS) Moderate
CVE-2026-35369 was published for uu_kill (Rust) Jul 6, 2026
install -D: symlink race in directory creation allows arbitrary file overwrite Moderate
CVE-2026-35356 was published for uu_install (Rust) Jul 6, 2026
install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite Moderate
CVE-2026-35355 was published for uu_install (Rust) Jul 6, 2026
chmod: recursive mode returns exit code 0 even when some files fail (last-file-wins) Moderate
CVE-2026-35339 was published for uu_chmod (Rust) Jul 6, 2026
jxl-oxide: `FrameBuffer::new` creates out-of-bounds slices on overflow Moderate
GHSA-66m8-c62j-h6v5 was published for jxl-oxide (Rust) Jul 2, 2026
jxl-oxide: integer subtraction overflow panic in cluster_from_table via crafted JXL input (DoS) Moderate
GHSA-2v8p-fqpx-2q3w was published for jxl-modular (Rust) Jul 2, 2026
impost0r Credited to impost0r
AnticsDecoded Credited to AnticsDecoded and mpguerra mpguerra mpguerra
zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip Moderate
CVE-2026-52733 was published for zebra-state (Rust) Jul 2, 2026
dingledropper Credited to dingledropper, mpguerra, and upbqdn mpguerra mpguerra
upbqdn upbqdn
Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection Moderate
CVE-2026-52739 was published for zebra-state (Rust) Jul 2, 2026
Haxatron Credited to Haxatron, mpguerra, and conradoplg mpguerra mpguerra
conradoplg conradoplg
Zebra: Finalized address balance credit-first overflow on consensus-valid blocks Moderate
CVE-2026-52738 was published for zebra-state (Rust) Jul 2, 2026
sangsoo-osec Credited to sangsoo-osec, mpguerra, and oxarbitrage mpguerra mpguerra
oxarbitrage oxarbitrage
Zebra has sync restart poisoning from single unauthenticated peer via above-lookahead block Moderate
CVE-2026-52737 was published for zebra-consensus (Rust) Jul 2, 2026
ipwning Credited to ipwning, mpguerra, conradoplg, and oxarbitrage mpguerra mpguerra
conradoplg conradoplg oxarbitrage oxarbitrage
zebrad has mempool transaction admission denial via single-peer inbound queue saturation Moderate
CVE-2026-52732 was published for zebrad (Rust) Jul 2, 2026
dingledropper Credited to dingledropper, mpguerra, and oxarbitrage mpguerra mpguerra
oxarbitrage oxarbitrage
ProTip! Advisories are also available from the GraphQL API