Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

124 advisories

Loading
sisp Credited to sisp and cbrown1234 cbrown1234 cbrown1234
cbrown1234 Credited to cbrown1234 and sisp sisp sisp
@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass Moderate
CVE-2026-24047 was published for @backstage/cli-common (npm) Jan 21, 2026
Claude Code has Permission Deny Bypass Through Symbolic Links Low
CVE-2026-25724 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
OpenClaw: Reject symlinks in local skill packaging script Moderate
CVE-2026-27485 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent Credited to aether-ai-agent
Jenkins has a link following vulnerability allows arbitrary file creation High
CVE-2026-33001 was published for org.jenkins-ci.main:jenkins-core (Maven) Mar 18, 2026
bboe Credited to bboe
tar-rs `unpack_in` can chmod arbitrary directories by following symlinks Moderate
CVE-2026-33056 was published for tar (Rust) Mar 20, 2026
xokdvium Credited to xokdvium
YLChen-007 Credited to YLChen-007
Incus vulnerable to local privilege escalation through VM screenshot path Moderate
CVE-2026-33711 was published for github.com/lxc/incus/v6 (Go) Mar 27, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
onnx Vulnerable to Path Traversal via Symlink High
CVE-2026-27489 was published for onnx (pip) Mar 31, 2026
pi3ch Credited to pi3ch
ONNX: Arbitrary File Read via ExternalData Hardlink Bypass in ONNX load Moderate
CVE-2026-34446 was published for onnx (pip) Apr 1, 2026
ZeroXJacks Credited to ZeroXJacks
ONNX: External Data Symlink Traversal Moderate
CVE-2026-34447 was published for onnx (pip) Apr 1, 2026
jayashwaS Credited to jayashwaS
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host High
CVE-2026-41364 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates High
CVE-2026-35525 was published for liquidjs (npm) Apr 8, 2026
Jvr2022 Credited to Jvr2022
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback Moderate
CVE-2026-28684 was published for python-dotenv (pip) Apr 21, 2026
tsigouris007 Credited to tsigouris007 and bbc2 bbc2 bbc2
Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace High
CVE-2026-39861 was published for @anthropic-ai/claude-code (npm) Apr 21, 2026
uutils coreutils has a UNIX Symbolic Link (Symlink) Following issue Moderate
CVE-2026-35372 was published for coreutils (Rust) Apr 22, 2026
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write High
CVE-2026-42275 was published for github.com/openziti/zrok (Go) Apr 25, 2026
bugbunny-research Credited to bugbunny-research
Kata Container has CopyFile Policy Subversion via Symlinks High
CVE-2026-41326 was published for github.com/kata-containers/kata-containers (Go) May 4, 2026
fitzthum Credited to fitzthum, calonso-nv, fikriwahab, burgerdev, danmihai1, jojimt, fidencio, and kodareef5 calonso-nv calonso-nv
fikriwahab fikriwahab burgerdev burgerdev danmihai1 danmihai1 jojimt jojimt fidencio fidencio kodareef5 kodareef5
ProTip! Advisories are also available from the GraphQL API