GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
96
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
64 advisories
Filter by severity
Cargo crates in third party registries can override the cached source of other crates
Moderate
CVE-2026-5223
was published
for
cargo
(Rust)
Jun 26, 2026
OpenTofu: Provider cache installation follows root-module-controlled package directory symlink and writes outside the working tree
Moderate
GHSA-wcmj-x466-56mm
was published
for
github.com/opentofu/opentofu
(Go)
Jun 23, 2026
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym
Critical
CVE-2026-52811
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations
Moderate
CVE-2026-41579
was published
for
github.com/opencontainers/runc
(Go)
Jun 22, 2026
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer
Moderate
GHSA-wvrh-2f4m-924v
was published
for
ChatterBot
(pip)
Jun 19, 2026
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
Critical
CVE-2026-55447
was published
for
langflow
(pip)
Jun 19, 2026
Arbitrary host CRI log file read via symlink following in CRI checkpoint restore
High
CVE-2026-53489
was published
for
github.com/containerd/containerd/v2
(Go)
Jun 19, 2026
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284
Moderate
CVE-2026-12565
was published
for
bbot
(pip)
Jun 18, 2026
Docker: Race condition in docker cp allows bind mount redirection to host path
High
CVE-2026-42306
was published
for
github.com/docker/docker
(Go)
May 18, 2026
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Moderate
CVE-2026-41568
was published
for
github.com/docker/docker
(Go)
May 18, 2026
PDM: Project-Local State and Config Writes Follow Symlinks
Moderate
CVE-2026-47763
was published
for
pdm
(pip)
Jun 10, 2026
ONNX: External Data Symlink Traversal
Moderate
CVE-2026-34447
was published
for
onnx
(pip)
Apr 1, 2026
skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion
High
GHSA-wx3m-whqv-xv47
was published
for
skillctl
(Rust)
Jun 5, 2026
podman kube play symlink traversal vulnerability
High
CVE-2025-9566
was published
for
github.com/containers/podman/v4
(Go)
Sep 4, 2025
pgAdmin 4 File Manager has symbolic-link path traversal
High
CVE-2026-7819
was published
for
pgadmin4
(pip)
May 11, 2026
Kata Container has CopyFile Policy Subversion via Symlinks
High
CVE-2026-41326
was published
for
github.com/kata-containers/kata-containers
(Go)
May 4, 2026
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write
High
CVE-2026-42275
was published
for
github.com/openziti/zrok
(Go)
Apr 25, 2026
OpenClaw contains a symlink traversal vulnerability
Moderate
CVE-2026-43570
was published
for
openclaw
(npm)
May 5, 2026
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host
High
CVE-2026-41364
was published
for
openclaw
(npm)
Apr 2, 2026
astral-tokio-tar: `unpack_in` can chmod arbitrary directories by following symlinks
Low
GHSA-xx64-wwv2-hcqq
was published
for
astral-tokio-tar
(Rust)
May 6, 2026
uutils coreutils has a UNIX Symbolic Link (Symlink) Following issue
Moderate
CVE-2026-35372
was published
for
coreutils
(Rust)
Apr 22, 2026
Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace
High
CVE-2026-39861
was published
for
@anthropic-ai/claude-code
(npm)
Apr 21, 2026
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
Moderate
CVE-2026-28684
was published
for
python-dotenv
(pip)
Apr 21, 2026
OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
Moderate
CVE-2026-35632
was published
for
openclaw
(npm)
Mar 26, 2026
Duplicate Advisory: OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
Moderate
GHSA-pmf3-2q63-jmp6
was published
for
openclaw
(npm)
Apr 10, 2026
•
withdrawn
ProTip!
Advisories are also available from the
GraphQL API