GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
96
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
25 advisories
Filter by severity
Arbitrary host CRI log file read via symlink following in CRI checkpoint restore
High
CVE-2026-53489
was published
for
github.com/containerd/containerd/v2
(Go)
Jun 19, 2026
skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion
High
GHSA-wx3m-whqv-xv47
was published
for
skillctl
(Rust)
Jun 5, 2026
Docker: Race condition in docker cp allows bind mount redirection to host path
High
CVE-2026-42306
was published
for
github.com/docker/docker
(Go)
May 18, 2026
pgAdmin 4 File Manager has symbolic-link path traversal
High
CVE-2026-7819
was published
for
pgadmin4
(pip)
May 11, 2026
Kata Container has CopyFile Policy Subversion via Symlinks
High
CVE-2026-41326
was published
for
github.com/kata-containers/kata-containers
(Go)
May 4, 2026
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write
High
CVE-2026-42275
was published
for
github.com/openziti/zrok
(Go)
Apr 25, 2026
Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace
High
CVE-2026-39861
was published
for
@anthropic-ai/claude-code
(npm)
Apr 21, 2026
LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates
High
CVE-2026-35525
was published
for
liquidjs
(npm)
Apr 8, 2026
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host
High
CVE-2026-41364
was published
for
openclaw
(npm)
Apr 2, 2026
onnx Vulnerable to Path Traversal via Symlink
High
CVE-2026-27489
was published
for
onnx
(pip)
Mar 31, 2026
Jenkins has a link following vulnerability allows arbitrary file creation
High
CVE-2026-33001
was published
for
org.jenkins-ci.main:jenkins-core
(Maven)
Mar 18, 2026
Weaviate OSS has a Path Traversal Vulnerability via Backup ZipSlip
High
CVE-2025-67818
was published
for
github.com/weaviate/weaviate
(Go)
Dec 12, 2025
youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects
High
CVE-2025-62596
was published
for
youki
(Rust)
Nov 5, 2025
youki container escape via "masked path" abuse due to mount race conditions
High
CVE-2025-62161
was published
for
youki
(Rust)
Nov 5, 2025
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
High
CVE-2025-52881
was published
for
github.com/opencontainers/runc
(Go)
Nov 5, 2025
runc container escape with malicious config due to /dev/console mount and related races
High
CVE-2025-52565
was published
for
github.com/opencontainers/runc
(Go)
Nov 5, 2025
runc container escape via "masked path" abuse due to mount race conditions
High
CVE-2025-31133
was published
for
github.com/opencontainers/runc
(Go)
Nov 5, 2025
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
High
CVE-2025-59343
was published
for
tar-fs
(npm)
Sep 24, 2025
podman kube play symlink traversal vulnerability
High
CVE-2025-9566
was published
for
github.com/containers/podman/v4
(Go)
Sep 4, 2025
Youki: If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.
High
CVE-2025-54867
was published
for
youki
(Rust)
Aug 14, 2025
zip Incorrectly Canonicalizes Paths during Archive Extraction Leading to Arbitrary File Write
High
CVE-2025-29787
was published
for
zip
(Rust)
Mar 17, 2025
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following
High
CVE-2023-25152
was published
for
github.com/pterodactyl/wings
(Go)
Feb 8, 2023
@npmcli/arborist vulnerable to UNIX Symbolic Link (Symlink) Following
High
CVE-2021-39134
was published
for
@npmcli/arborist
(npm)
Aug 31, 2021
UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
High
CVE-2021-39135
was published
for
@npmcli/arborist
(npm)
Aug 31, 2021
ProTip!
Advisories are also available from the
GraphQL API