GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
45 advisories
Filter by severity
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size
Moderate
GHSA-4xgf-cpjx-pc3j
was published
for
pydantic-settings
(pip)
Jun 19, 2026
py7zr: Arbitrary File Write Vulnerability
High
CVE-2026-23879
was published
for
py7zr
(pip)
Jun 19, 2026
Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE
Critical
GHSA-2jq4-q6vv-4cp3
was published
for
crawl4ai
(pip)
Jun 18, 2026
BBOT: Symlink-Following Arbitrary Write via github_workflows Module
Low
CVE-2026-12567
was published
for
bbot
(pip)
Jun 18, 2026
Crawl4AI: Arbitrary file write (symlink/TOCTOU) plus log and webhook-header injection in Docker server
High
GHSA-7cx2-g3h9-382p
was published
for
crawl4ai
(pip)
Jun 16, 2026
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders
Moderate
CVE-2026-55443
was published
for
langchain
(pip)
Jun 16, 2026
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree
High
CVE-2026-45539
was published
for
apm
(pip)
May 18, 2026
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`
High
CVE-2026-44340
was published
for
PraisonAI
(pip)
May 11, 2026
BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context
Moderate
CVE-2026-40610
was published
for
bentoml
(pip)
May 7, 2026
ciguard: discover_pipeline_files follows symlinks out of scan root
Low
CVE-2026-44220
was published
for
ciguard
(pip)
May 5, 2026
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
Moderate
CVE-2026-28684
was published
for
python-dotenv
(pip)
Apr 21, 2026
Weblate: Arbitrary File Read via Symlink
High
CVE-2026-34242
was published
for
weblate
(pip)
Apr 16, 2026
ONNX: TOCTOU arbitrary file read/write in save_external_dat
High
GHSA-q56x-g2fj-4rj6
was published
for
onnx
(pip)
Apr 1, 2026
Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape
Moderate
CVE-2026-34452
was published
for
anthropic
(pip)
Apr 1, 2026
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction
High
CVE-2026-27905
was published
for
bentoml
(pip)
Mar 3, 2026
virtualenv Has TOCTOU Vulnerabilities in Directory Creation
Moderate
CVE-2026-22702
was published
for
virtualenv
(pip)
Jan 13, 2026
filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
Moderate
CVE-2026-22701
was published
for
filelock
(pip)
Jan 13, 2026
Weblate has an arbitrary file read via symbolic links
High
CVE-2025-68279
was published
for
Weblate
(pip)
Dec 18, 2025
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation
Moderate
CVE-2025-68146
was published
for
filelock
(pip)
Dec 16, 2025
pip's fallback tar extraction doesn't check symbolic links point to extraction directory
Moderate
CVE-2025-8869
was published
for
pip
(pip)
Sep 24, 2025
GluonCV Arbitrary File Write via TarSlip
High
CVE-2024-12216
was published
for
gluoncv
(pip)
Mar 20, 2025
qdrant input validation failure
Critical
CVE-2024-3829
was published
for
qdrant-client
(pip)
Jun 3, 2024
binwalk vulnerable to UNIX Symbolic Link (Symlink) Following
Moderate
CVE-2021-4287
was published
for
binwalk
(pip)
Dec 27, 2022
Fabric vulnerable to symlink attack on tmp files
Moderate
CVE-2011-2185
was published
for
fabric
(pip)
May 17, 2022
Virtualenv Allows Symlink Attack on /tmp/
Moderate
CVE-2011-4617
was published
for
virtualenv
(pip)
May 17, 2022
ProTip!
Advisories are also available from the
GraphQL API