Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,493 advisories

Loading
Wasmtime: Memory leak in C API with `externref` and `anyref` types Low
CVE-2025-61670 was published for wasmtime-bin (pip) Jul 14, 2026
alexcrichton Credited to alexcrichton
`exploration` was removed from crates.io for malicious code Critical
GHSA-99j7-fhr2-xfj4 was published for exploration (Rust) Jul 10, 2026
Lechu69 Credited to Lechu69
Rattler vulnerable to package cache path traversal via conda package build string Moderate
CVE-2026-53956 was published for py_rattler (pip) Jul 9, 2026
OneRingBuf has a Use After Free Vulnerability Moderate
GHSA-q95x-7g78-rccv was published for oneringbuf (Rust) Jul 8, 2026
async-tar PAX extension-header desync enables tar entry/content smuggling Moderate
CVE-2026-53600 was published for async-tar (Rust) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
wasmtime-wasi: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction High
CVE-2026-47261 was published for wasmtime-wasi (Rust) Jun 5, 2026
shumbo Credited to shumbo
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path Low
GHSA-cwv4-h3j5-w3cf was published for rama (Rust) Jul 7, 2026
chaitanyagarware Credited to chaitanyagarware
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort) Moderate
CVE-2026-53531 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice) High
CVE-2026-53530 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
cut: -s ignored in -z -d '' newline-delimiter mode Low
CVE-2026-35381 was published for uu_cut (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils has an Incorrect Provision of Specified Functionality Issue in its cut Utility Low
GHSA-532v-xp3f-837c was published for coreutils (Rust) Apr 22, 2026 withdrawn
mknod: Device nodes created mislabeled on SELinux, with broken cleanup (remove_dir on a node) Low
CVE-2026-35361 was published for uu_mknod (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils has an Improper Preservation of Permissions issue Low
GHSA-79rc-qpw3-jv92 was published for coreutils (Rust) Apr 22, 2026 withdrawn
mkfifo: permissions of an existing file are changed after FIFO creation fails High
CVE-2026-35341 was published for uu_mkfifo (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils allows unauthorized modification of permissions on existing files High
GHSA-w8m4-4v35-v6x3 was published for coreutils (Rust) Apr 22, 2026 withdrawn
defuse Credited to defuse, nuttycom, daira, conradoplg, mpguerra, and alchemydc nuttycom nuttycom
daira daira conradoplg conradoplg mpguerra mpguerra alchemydc alchemydc
printenv: environment variables with invalid UTF-8 are silently skipped (evades inspection) Moderate
CVE-2026-35366 was published for uu_printenv (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils has an Improper Check for Unusual or Exceptional Conditions Moderate
GHSA-7259-cwhx-3xx3 was published for coreutils (Rust) Apr 22, 2026 withdrawn
uucore: safe_traversal TOCTOU protection only enabled on Linux Low
CVE-2026-35362 was published for uucore (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition Low
GHSA-ggc5-46rg-mr4v was published for coreutils (Rust) Apr 22, 2026 withdrawn
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication) Moderate
CVE-2026-35365 was published for uu_mv (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Link Following issue Moderate
GHSA-66fx-fqv6-5wwx was published for coreutils (Rust) Apr 22, 2026 withdrawn
cp: -R reads device nodes as streams, destroying device semantics Moderate
CVE-2026-35358 was published for uu_cp (Rust) Jul 6, 2026
ProTip! Advisories are also available from the GraphQL API