Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

22 advisories

Loading
OpenTofu: Provider cache installation follows root-module-controlled package directory symlink and writes outside the working tree Moderate
GHSA-wcmj-x466-56mm was published for github.com/opentofu/opentofu (Go) Jun 23, 2026
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym Critical
CVE-2026-52811 was published for gogs.io/gogs (Go) Jun 23, 2026
amwhoi Credited to amwhoi
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations Moderate
CVE-2026-41579 was published for github.com/opencontainers/runc (Go) Jun 22, 2026
mosskappa Credited to mosskappa and Dmanzella Dmanzella Dmanzella
Arbitrary host CRI log file read via symlink following in CRI checkpoint restore High
CVE-2026-53489 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
gouldnicholas Credited to gouldnicholas, davidrxchester, sangwon090, robertprast, and Plucky923 davidrxchester davidrxchester
sangwon090 sangwon090 robertprast robertprast Plucky923 Plucky923
Docker: Race condition in docker cp allows bind mount redirection to host path High
CVE-2026-42306 was published for github.com/docker/docker (Go) May 18, 2026
vvoland Credited to vvoland
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap Moderate
CVE-2026-41568 was published for github.com/docker/docker (Go) May 18, 2026
manizada Credited to manizada and vvoland vvoland vvoland
Kata Container has CopyFile Policy Subversion via Symlinks High
CVE-2026-41326 was published for github.com/kata-containers/kata-containers (Go) May 4, 2026
fitzthum Credited to fitzthum, calonso-nv, fikriwahab, burgerdev, danmihai1, jojimt, fidencio, and kodareef5 calonso-nv calonso-nv
fikriwahab fikriwahab burgerdev burgerdev danmihai1 danmihai1 jojimt jojimt fidencio fidencio kodareef5 kodareef5
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write High
CVE-2026-42275 was published for github.com/openziti/zrok (Go) Apr 25, 2026
bugbunny-research Credited to bugbunny-research
Incus vulnerable to local privilege escalation through VM screenshot path Moderate
CVE-2026-33711 was published for github.com/lxc/incus/v6 (Go) Mar 27, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
Weaviate OSS has a Path Traversal Vulnerability via Backup ZipSlip High
CVE-2025-67818 was published for github.com/weaviate/weaviate (Go) Dec 12, 2025
Apptainer ineffectively applies selinux and apparmor --security options Moderate
CVE-2025-65105 was published for github.com/apptainer/apptainer (Go) Dec 2, 2025
dtrudg Credited to dtrudg
Singluarity ineffectively applies selinux / apparmor LSM process labels Moderate
CVE-2025-64750 was published for github.com/sylabs/singularity/v4 (Go) Dec 2, 2025
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects High
CVE-2025-52881 was published for github.com/opencontainers/runc (Go) Nov 5, 2025
tonistiigi Credited to tonistiigi, cyphar, lifubang, OddBloke, and olsova cyphar cyphar
lifubang lifubang OddBloke OddBloke olsova olsova
runc container escape with malicious config due to /dev/console mount and related races High
CVE-2025-52565 was published for github.com/opencontainers/runc (Go) Nov 5, 2025
ssst0n3 Credited to ssst0n3, lifubang, and cyphar lifubang lifubang
cyphar cyphar
runc container escape via "masked path" abuse due to mount race conditions High
CVE-2025-31133 was published for github.com/opencontainers/runc (Go) Nov 5, 2025
ssst0n3 Credited to ssst0n3, rata, kolyshkin, lifubang, and cyphar rata rata
kolyshkin kolyshkin lifubang lifubang cyphar cyphar
podman kube play symlink traversal vulnerability High
CVE-2025-9566 was published for github.com/containers/podman/v4 (Go) Sep 4, 2025
Luap99 Credited to Luap99
Insecure Temporary File usage in github.com/golang/glog Moderate
CVE-2024-45339 was published for github.com/golang/glog (Go) Jan 28, 2025
Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory. Moderate
CVE-2024-47877 was published for github.com/codeclysm/extract (Go) Oct 11, 2024
buglloc Credited to buglloc and cmaglie cmaglie cmaglie
runc can be confused to create empty files/directories on the host Moderate
CVE-2024-45310 was published for github.com/opencontainers/runc (Go) Sep 3, 2024
rata Credited to rata, alban, cyphar, and sdowell alban alban
cyphar cyphar sdowell sdowell
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following High
CVE-2023-25152 was published for github.com/pterodactyl/wings (Go) Feb 8, 2023
astro-angelfish Credited to astro-angelfish
Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server Moderate
CVE-2022-24904 was published for github.com/argoproj/argo-cd/v2 (Go) May 23, 2022
crenshaw-dev Credited to crenshaw-dev and tdunlap607 tdunlap607 tdunlap607
Kubernetes kubectl cp Vulnerable to Symlink Attack Moderate
CVE-2019-11251 was published for k8s.io/kubernetes (Go) May 18, 2021
ProTip! Advisories are also available from the GraphQL API