GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
217 advisories
Filter by severity
Decompress: Archive extraction can create files and links outside of the target directory
Critical
CVE-2026-53486
was published
for
@xhmikosr/decompress
(npm)
Jul 6, 2026
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication)
Moderate
CVE-2026-35365
was published
for
uu_mv
(Rust)
Jul 6, 2026
rm: --preserve-root bypassed via a symlink to / (string check instead of dev/inode)
Moderate
CVE-2026-35349
was published
for
uu_rm
(Rust)
Jul 6, 2026
install -D: symlink race in directory creation allows arbitrary file overwrite
Moderate
CVE-2026-35356
was published
for
uu_install
(Rust)
Jul 6, 2026
install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite
Moderate
CVE-2026-35355
was published
for
uu_install
(Rust)
Jul 6, 2026
chmod: --preserve-root bypassed by any path that resolves to root (e.g. /../)
High
CVE-2026-35338
was published
for
uu_chmod
(Rust)
Jul 6, 2026
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution
High
CVE-2026-50163
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
land.oras:oras-java-sdk: Symlink-based path traversal in ArchiveUtils.untar / unzip allows arbitrary file write outside extraction directory
Low
GHSA-j6hm-v3x2-qv6j
was published
for
land.oras:oras-java-sdk
(Maven)
Jul 1, 2026
@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write
Moderate
CVE-2026-46406
was published
for
@anthropic-ai/claude-code
(npm)
Jun 25, 2026
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym
Critical
CVE-2026-52811
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
Critical
CVE-2026-54352
was published
for
@budibase/server
(npm)
Jun 22, 2026
skillctl: argument injection, path traversal in --dest, FIFO/device DoS, hardlink exfiltration, and commit-trailer forgery
High
GHSA-74p7-6h78-gw8p
was published
for
skillctl
(Rust)
Jun 22, 2026
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size
Moderate
GHSA-4xgf-cpjx-pc3j
was published
for
pydantic-settings
(pip)
Jun 19, 2026
Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups
Moderate
GHSA-6x2m-p4xp-wg22
was published
for
network-ai
(npm)
Jun 19, 2026
go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination)
Moderate
CVE-2026-55828
was published
for
go.qbee.io/transport
(Go)
Jun 19, 2026
py7zr: Arbitrary File Write Vulnerability
High
CVE-2026-23879
was published
for
py7zr
(pip)
Jun 19, 2026
Hugo: Symlink confinement bypass in os.ReadFile
Moderate
GHSA-c3wq-j5vh-68rc
was published
for
github.com/gohugoio/hugo
(Go)
Jun 19, 2026
Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE
Critical
GHSA-2jq4-q6vv-4cp3
was published
for
crawl4ai
(pip)
Jun 18, 2026
BBOT: Symlink-Following Arbitrary Write via github_workflows Module
Low
CVE-2026-12567
was published
for
bbot
(pip)
Jun 18, 2026
Podman: WORKDIR symlink traversal vulnerability
Moderate
CVE-2026-55686
was published
for
github.com/containers/podman/v3
(Go)
Jun 18, 2026
Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory
Moderate
CVE-2026-53765
was published
for
chrome-devtools-mcp
(npm)
Jun 17, 2026
Crawl4AI: Arbitrary file write (symlink/TOCTOU) plus log and webhook-header injection in Docker server
High
GHSA-7cx2-g3h9-382p
was published
for
crawl4ai
(pip)
Jun 16, 2026
Hugo: Symlink confinement bypass in resources.Get
Moderate
CVE-2026-50135
was published
for
github.com/gohugoio/hugo
(Go)
Jun 16, 2026
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders
Moderate
CVE-2026-55443
was published
for
langchain
(pip)
Jun 16, 2026
Microsoft Security Advisory CVE-2026-45491 – .NET Tampering Vulnerability
Moderate
CVE-2026-45491
was published
for
Microsoft.NETCore.App.Runtime.linux-x64
(NuGet)
Jun 16, 2026
ProTip!
Advisories are also available from the
GraphQL API