GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,401 advisories
Filter by severity
AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and...
High
Unreviewed
CVE-2026-14904
was published
Jul 7, 2026
Decompress: Archive extraction can create files and links outside of the target directory
Critical
CVE-2026-53486
was published
for
@xhmikosr/decompress
(npm)
Jul 6, 2026
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication)
Moderate
CVE-2026-35365
was published
for
uu_mv
(Rust)
Jul 6, 2026
rm: --preserve-root bypassed via a symlink to / (string check instead of dev/inode)
Moderate
CVE-2026-35349
was published
for
uu_rm
(Rust)
Jul 6, 2026
install -D: symlink race in directory creation allows arbitrary file overwrite
Moderate
CVE-2026-35356
was published
for
uu_install
(Rust)
Jul 6, 2026
install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite
Moderate
CVE-2026-35355
was published
for
uu_install
(Rust)
Jul 6, 2026
chmod: --preserve-root bypassed by any path that resolves to root (e.g. /../)
High
CVE-2026-35338
was published
for
uu_chmod
(Rust)
Jul 6, 2026
A weakness has been identified in zcaceres markdownify-mcp up to 1.1.0. The affected element is...
Moderate
Unreviewed
CVE-2026-14699
was published
Jul 5, 2026
Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based)...
High
Unreviewed
CVE-2026-57991
was published
Jul 3, 2026
Gitea versions before 1.25.5 mishandle path resolution during template repository generation,...
Critical
Unreviewed
CVE-2026-25718
was published
Jul 3, 2026
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0...
Moderate
Unreviewed
CVE-2026-46464
was published
Jul 3, 2026
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0...
Moderate
Unreviewed
CVE-2026-44269
was published
Jul 3, 2026
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0...
Moderate
Unreviewed
CVE-2026-46468
was published
Jul 3, 2026
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution
High
CVE-2026-50163
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
Dell Device Management Agent, versions prior to DDMA 26.05, contain an Improper Link Resolution...
High
Unreviewed
CVE-2026-41121
was published
Jul 1, 2026
land.oras:oras-java-sdk: Symlink-based path traversal in ArchiveUtils.untar / unzip allows arbitrary file write outside extraction directory
Low
GHSA-j6hm-v3x2-qv6j
was published
for
land.oras:oras-java-sdk
(Maven)
Jul 1, 2026
acl before version 2.4.0 contains a symlink traversal vulnerability in the libacl pathname-based...
High
Unreviewed
CVE-2026-54369
was published
Jun 29, 2026
attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr...
High
Unreviewed
CVE-2026-54371
was published
Jun 29, 2026
@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write
Moderate
CVE-2026-46406
was published
for
@anthropic-ai/claude-code
(npm)
Jun 25, 2026
ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows...
High
Unreviewed
CVE-2026-35025
was published
Jun 24, 2026
NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that...
Moderate
Unreviewed
CVE-2026-56692
was published
Jun 23, 2026
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym
Critical
CVE-2026-52811
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
Critical
CVE-2026-54352
was published
for
@budibase/server
(npm)
Jun 22, 2026
skillctl: argument injection, path traversal in --dest, FIFO/device DoS, hardlink exfiltration, and commit-trailer forgery
High
GHSA-74p7-6h78-gw8p
was published
for
skillctl
(Rust)
Jun 22, 2026
Dell Wyse Management Suite (WMS), versions prior to WMS 2605, contain an Improper Link Resolution...
High
Unreviewed
CVE-2026-44274
was published
Jun 22, 2026
ProTip!
Advisories are also available from the
GraphQL API