Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

64 advisories

Loading
Cargo crates in third party registries can override the cached source of other crates Moderate
CVE-2026-5223 was published for cargo (Rust) Jun 26, 2026
christos-spearbit Credited to christos-spearbit, arlosi, emilyalbini, cuviper, and Manishearth arlosi arlosi
emilyalbini emilyalbini cuviper cuviper Manishearth Manishearth
OpenTofu: Provider cache installation follows root-module-controlled package directory symlink and writes outside the working tree Moderate
GHSA-wcmj-x466-56mm was published for github.com/opentofu/opentofu (Go) Jun 23, 2026
Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym Critical
CVE-2026-52811 was published for gogs.io/gogs (Go) Jun 23, 2026
amwhoi Credited to amwhoi
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations Moderate
CVE-2026-41579 was published for github.com/opencontainers/runc (Go) Jun 22, 2026
mosskappa Credited to mosskappa and Dmanzella Dmanzella Dmanzella
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer Moderate
GHSA-wvrh-2f4m-924v was published for ChatterBot (pip) Jun 19, 2026
AAtomical Credited to AAtomical
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit Critical
CVE-2026-55447 was published for langflow (pip) Jun 19, 2026
vbCrLf Credited to vbCrLf, AntonioABLima, andifilhohub, erichare, and Adam-Aghili AntonioABLima AntonioABLima
andifilhohub andifilhohub erichare erichare Adam-Aghili Adam-Aghili
Arbitrary host CRI log file read via symlink following in CRI checkpoint restore High
CVE-2026-53489 was published for github.com/containerd/containerd/v2 (Go) Jun 19, 2026
gouldnicholas Credited to gouldnicholas, davidrxchester, sangwon090, robertprast, and Plucky923 davidrxchester davidrxchester
sangwon090 sangwon090 robertprast robertprast Plucky923 Plucky923
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284 Moderate
CVE-2026-12565 was published for bbot (pip) Jun 18, 2026
sondt99 Credited to sondt99
Docker: Race condition in docker cp allows bind mount redirection to host path High
CVE-2026-42306 was published for github.com/docker/docker (Go) May 18, 2026
vvoland Credited to vvoland
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap Moderate
CVE-2026-41568 was published for github.com/docker/docker (Go) May 18, 2026
manizada Credited to manizada and vvoland vvoland vvoland
PDM: Project-Local State and Config Writes Follow Symlinks Moderate
CVE-2026-47763 was published for pdm (pip) Jun 10, 2026
xuemian168 Credited to xuemian168 and ZejiHui ZejiHui ZejiHui
ONNX: External Data Symlink Traversal Moderate
CVE-2026-34447 was published for onnx (pip) Apr 1, 2026
jayashwaS Credited to jayashwaS
skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion High
GHSA-wx3m-whqv-xv47 was published for skillctl (Rust) Jun 5, 2026
podman kube play symlink traversal vulnerability High
CVE-2025-9566 was published for github.com/containers/podman/v4 (Go) Sep 4, 2025
Luap99 Credited to Luap99
pgAdmin 4 File Manager has symbolic-link path traversal High
CVE-2026-7819 was published for pgadmin4 (pip) May 11, 2026
Kata Container has CopyFile Policy Subversion via Symlinks High
CVE-2026-41326 was published for github.com/kata-containers/kata-containers (Go) May 4, 2026
fitzthum Credited to fitzthum, calonso-nv, fikriwahab, burgerdev, danmihai1, jojimt, fidencio, and kodareef5 calonso-nv calonso-nv
fikriwahab fikriwahab burgerdev burgerdev danmihai1 danmihai1 jojimt jojimt fidencio fidencio kodareef5 kodareef5
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write High
CVE-2026-42275 was published for github.com/openziti/zrok (Go) Apr 25, 2026
bugbunny-research Credited to bugbunny-research
OpenClaw contains a symlink traversal vulnerability Moderate
CVE-2026-43570 was published for openclaw (npm) May 5, 2026
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host High
CVE-2026-41364 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
astral-tokio-tar: `unpack_in` can chmod arbitrary directories by following symlinks Low
GHSA-xx64-wwv2-hcqq was published for astral-tokio-tar (Rust) May 6, 2026
LawnGnome Credited to LawnGnome and woodruffw woodruffw woodruffw
uutils coreutils has a UNIX Symbolic Link (Symlink) Following issue Moderate
CVE-2026-35372 was published for coreutils (Rust) Apr 22, 2026
Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace High
CVE-2026-39861 was published for @anthropic-ai/claude-code (npm) Apr 21, 2026
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback Moderate
CVE-2026-28684 was published for python-dotenv (pip) Apr 21, 2026
tsigouris007 Credited to tsigouris007 and bbc2 bbc2 bbc2
YLChen-007 Credited to YLChen-007
ProTip! Advisories are also available from the GraphQL API