GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,293
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
22 advisories
Filter by severity
OpenTofu: Provider cache installation follows root-module-controlled package directory symlink and writes outside the working tree
Moderate
GHSA-wcmj-x466-56mm
was published
for
github.com/opentofu/opentofu
(Go)
Jun 23, 2026
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym
Critical
CVE-2026-52811
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations
Moderate
CVE-2026-41579
was published
for
github.com/opencontainers/runc
(Go)
Jun 22, 2026
Arbitrary host CRI log file read via symlink following in CRI checkpoint restore
High
CVE-2026-53489
was published
for
github.com/containerd/containerd/v2
(Go)
Jun 19, 2026
Docker: Race condition in docker cp allows bind mount redirection to host path
High
CVE-2026-42306
was published
for
github.com/docker/docker
(Go)
May 18, 2026
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Moderate
CVE-2026-41568
was published
for
github.com/docker/docker
(Go)
May 18, 2026
Kata Container has CopyFile Policy Subversion via Symlinks
High
CVE-2026-41326
was published
for
github.com/kata-containers/kata-containers
(Go)
May 4, 2026
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write
High
CVE-2026-42275
was published
for
github.com/openziti/zrok
(Go)
Apr 25, 2026
Incus vulnerable to local privilege escalation through VM screenshot path
Moderate
CVE-2026-33711
was published
for
github.com/lxc/incus/v6
(Go)
Mar 27, 2026
Weaviate OSS has a Path Traversal Vulnerability via Backup ZipSlip
High
CVE-2025-67818
was published
for
github.com/weaviate/weaviate
(Go)
Dec 12, 2025
Apptainer ineffectively applies selinux and apparmor --security options
Moderate
CVE-2025-65105
was published
for
github.com/apptainer/apptainer
(Go)
Dec 2, 2025
Singluarity ineffectively applies selinux / apparmor LSM process labels
Moderate
CVE-2025-64750
was published
for
github.com/sylabs/singularity/v4
(Go)
Dec 2, 2025
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
High
CVE-2025-52881
was published
for
github.com/opencontainers/runc
(Go)
Nov 5, 2025
runc container escape with malicious config due to /dev/console mount and related races
High
CVE-2025-52565
was published
for
github.com/opencontainers/runc
(Go)
Nov 5, 2025
runc container escape via "masked path" abuse due to mount race conditions
High
CVE-2025-31133
was published
for
github.com/opencontainers/runc
(Go)
Nov 5, 2025
podman kube play symlink traversal vulnerability
High
CVE-2025-9566
was published
for
github.com/containers/podman/v4
(Go)
Sep 4, 2025
Insecure Temporary File usage in github.com/golang/glog
Moderate
CVE-2024-45339
was published
for
github.com/golang/glog
(Go)
Jan 28, 2025
Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory.
Moderate
CVE-2024-47877
was published
for
github.com/codeclysm/extract
(Go)
Oct 11, 2024
runc can be confused to create empty files/directories on the host
Moderate
CVE-2024-45310
was published
for
github.com/opencontainers/runc
(Go)
Sep 3, 2024
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following
High
CVE-2023-25152
was published
for
github.com/pterodactyl/wings
(Go)
Feb 8, 2023
Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server
Moderate
CVE-2022-24904
was published
for
github.com/argoproj/argo-cd/v2
(Go)
May 23, 2022
Kubernetes kubectl cp Vulnerable to Symlink Attack
Moderate
CVE-2019-11251
was published
for
k8s.io/kubernetes
(Go)
May 18, 2021
ProTip!
Advisories are also available from the
GraphQL API