Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

217 advisories

Loading
Apache Airflow has a Link Following issue Moderate
CVE-2026-40861 was published for apache-airflow (pip) Jun 1, 2026
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders Moderate
CVE-2026-55443 was published for langchain (pip) Jun 16, 2026
Mistz1 Credited to Mistz1 and deprrous deprrous deprrous
Decompress: Archive extraction can create files and links outside of the target directory Critical
CVE-2026-53486 was published for @xhmikosr/decompress (npm) Jul 6, 2026
XhmikosR Credited to XhmikosR
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication) Moderate
CVE-2026-35365 was published for uu_mv (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Link Following issue Moderate
GHSA-66fx-fqv6-5wwx was published for coreutils (Rust) Apr 22, 2026 withdrawn
rm: --preserve-root bypassed via a symlink to / (string check instead of dev/inode) Moderate
CVE-2026-35349 was published for uu_rm (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Link Following Issue Via rm Utility Moderate
GHSA-v762-x3cf-5mfg was published for coreutils (Rust) Apr 22, 2026 withdrawn
install -D: symlink race in directory creation allows arbitrary file overwrite Moderate
CVE-2026-35356 was published for uu_install (Rust) Jul 6, 2026
install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite Moderate
CVE-2026-35355 was published for uu_install (Rust) Jul 6, 2026
chmod: --preserve-root bypassed by any path that resolves to root (e.g. /../) High
CVE-2026-35338 was published for uu_chmod (Rust) Jul 6, 2026
KubeVirt has a Link Following issue High
CVE-2026-9804 was published for kubevirt.io/kubevirt (Go) May 28, 2026
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution High
CVE-2026-50163 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
anvanster Credited to anvanster
tonghuaroot Credited to tonghuaroot and jonesbusy jonesbusy jonesbusy
Jenkins Pipeline: Groovy Libraries Plugin does not prohibit symbolic links in shared libraries High
CVE-2026-48921 was published for io.jenkins.plugins:pipeline-groovy-lib (Maven) May 27, 2026
KubeVirt has a Link Following vulnerability Critical
CVE-2026-7374 was published for kubevirt.io/kubevirt (Go) May 26, 2026
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym Critical
CVE-2026-52811 was published for gogs.io/gogs (Go) Jun 23, 2026
amwhoi Credited to amwhoi
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload Critical
CVE-2026-54352 was published for @budibase/server (npm) Jun 22, 2026
kah-ja Credited to kah-ja
Faze-up Credited to Faze-up
sondt99 Credited to sondt99
go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination) Moderate
CVE-2026-55828 was published for go.qbee.io/transport (Go) Jun 19, 2026
ttzero25 Credited to ttzero25
py7zr: Arbitrary File Write Vulnerability High
CVE-2026-23879 was published for py7zr (pip) Jun 19, 2026
HughLewis20 Credited to HughLewis20
Hugo: Symlink confinement bypass in os.ReadFile Moderate
GHSA-c3wq-j5vh-68rc was published for github.com/gohugoio/hugo (Go) Jun 19, 2026
vnth4nhnt Credited to vnth4nhnt
Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE Critical
GHSA-2jq4-q6vv-4cp3 was published for crawl4ai (pip) Jun 18, 2026
ProTip! Advisories are also available from the GraphQL API