Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

608 advisories

Loading
chmod: --preserve-root bypassed by any path that resolves to root (e.g. /../) High
CVE-2026-35338 was published for uu_chmod (Rust) Jul 6, 2026
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution High
CVE-2026-50163 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
anvanster Credited to anvanster
py7zr: Arbitrary File Write Vulnerability High
CVE-2026-23879 was published for py7zr (pip) Jun 19, 2026
HughLewis20 Credited to HughLewis20
Crawl4AI: Arbitrary file write (symlink/TOCTOU) plus log and webhook-header injection in Docker server High
GHSA-7cx2-g3h9-382p was published for crawl4ai (pip) Jun 16, 2026
Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path High
CVE-2026-41236 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
KubeVirt has a Link Following issue High
CVE-2026-9804 was published for kubevirt.io/kubevirt (Go) May 28, 2026
Jenkins Pipeline: Groovy Libraries Plugin does not prohibit symbolic links in shared libraries High
CVE-2026-48921 was published for io.jenkins.plugins:pipeline-groovy-lib (Maven) May 27, 2026
ProTip! Advisories are also available from the GraphQL API