GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,401 advisories
Filter by severity
OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR
High
CVE-2026-41433
was published
for
go.opentelemetry.io/obi
(Go)
Apr 17, 2026
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
High
CVE-2026-40931
was published
for
compressing
(npm)
Apr 17, 2026
Weblate: Arbitrary File Read via Symlink
High
CVE-2026-34242
was published
for
weblate
(pip)
Apr 16, 2026
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron
High
CVE-2026-41231
was published
for
froxlor/froxlor
(Composer)
Apr 16, 2026
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated,...
Moderate
Unreviewed
CVE-2026-20161
was published
Apr 15, 2026
During an internal security assessment, a potential vulnerability was discovered in Lenovo...
Moderate
Unreviewed
CVE-2026-4135
was published
Apr 15, 2026
During an internal security assessment, a potential vulnerability was discovered in Lenovo...
Moderate
Unreviewed
CVE-2026-0827
was published
Apr 15, 2026
Improper link resolution before file access ('link following') in Universal Plug and Play (upnp...
Moderate
Unreviewed
CVE-2026-32212
was published
Apr 14, 2026
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in...
Moderate
Unreviewed
CVE-2026-32282
was published
Apr 8, 2026
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal
High
CVE-2026-41397
was published
for
openclaw
(npm)
Apr 3, 2026
This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia...
High
Unreviewed
CVE-2025-43257
was published
Apr 2, 2026
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host
High
CVE-2026-41364
was published
for
openclaw
(npm)
Apr 2, 2026
ONNX: TOCTOU arbitrary file read/write in save_external_dat
High
GHSA-q56x-g2fj-4rj6
was published
for
onnx
(pip)
Apr 1, 2026
Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape
Moderate
CVE-2026-34452
was published
for
anthropic
(pip)
Apr 1, 2026
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions
High
CVE-2026-34604
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions
High
CVE-2026-34603
was published
for
@tinacms/graphql
(npm)
Apr 1, 2026
BuildKit Git URL subdir component can cause access to restricted files
High
CVE-2026-33748
was published
for
github.com/moby/buildkit
(Go)
Mar 26, 2026
This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 18.7.7...
Moderate
Unreviewed
CVE-2026-28866
was published
Mar 25, 2026
This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 26.3 and...
Moderate
Unreviewed
CVE-2026-20694
was published
Mar 25, 2026
This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia...
Moderate
Unreviewed
CVE-2026-20633
was published
Mar 25, 2026
Duplicate Advisory: OpenClaw has browser trace/download path symlink escape in temp output handling
Moderate
GHSA-ffr4-mrhv-vfr2
was published
for
openclaw
(npm)
Mar 21, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace
Moderate
GHSA-2cwr-f5hx-gg3w
was published
for
openclaw
(npm)
Mar 19, 2026
•
withdrawn
Jenkins has a link following vulnerability allows arbitrary file creation
High
CVE-2026-33001
was published
for
org.jenkins-ci.main:jenkins-core
(Maven)
Mar 18, 2026
Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)
High
GHSA-8mpm-q7mh-8fvh
was published
for
@capgo/cli
(npm)
Mar 18, 2026
OpenClaw: Sandbox staged writes could escape the verified parent directory before commit
High
GHSA-mj4p-rc52-m843
was published
for
openclaw
(npm)
Mar 13, 2026
ProTip!
Advisories are also available from the
GraphQL API