GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
193 advisories
OpenClaw: Zip extraction symlink traversal could write outside destination
High
GHSA-jxrq-8fm4-9p58
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot
High
GHSA-xmv6-r34m-62p4
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind
High
CVE-2026-28483
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows
Moderate
CVE-2026-22180
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace
High
CVE-2026-31990
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host
Moderate
CVE-2026-32043
was published
for
openclaw
(npm)
Mar 3, 2026
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction
High
CVE-2026-27905
was published
for
bentoml
(pip)
Mar 3, 2026
OpenClaw's avatar symlink traversal can expose out-of-workspace local files
Moderate
CVE-2026-32024
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
High
CVE-2026-27545
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
Critical
CVE-2026-32013
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw has browser trace/download path symlink escape in temp output handling
Moderate
CVE-2026-32054
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw: Sandbox media TOCTOU could read files outside sandbox root
High
GHSA-7xmq-g46g-f8pv
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw's TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries
High
GHSA-x82f-27x3-q89c
was published
for
openclaw
(npm)
Mar 2, 2026
Compressing Vulnerable to Arbitrary File Write via Symlink Extraction
High
CVE-2026-24884
was published
for
compressing
(npm)
Feb 3, 2026
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
High
CVE-2026-24842
was published
for
tar
(npm)
Jan 28, 2026
pnpm has symlink traversal in file:/git dependencies
Moderate
CVE-2026-24056
was published
for
pnpm
(npm)
Jan 26, 2026
virtualenv Has TOCTOU Vulnerabilities in Directory Creation
Moderate
CVE-2026-22702
was published
for
virtualenv
(pip)
Jan 13, 2026
filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
Moderate
CVE-2026-22701
was published
for
filelock
(pip)
Jan 13, 2026
Weblate has an arbitrary file read via symbolic links
High
CVE-2025-68279
was published
for
Weblate
(pip)
Dec 18, 2025
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation
Moderate
CVE-2025-68146
was published
for
filelock
(pip)
Dec 16, 2025
RCE via ZipSlip and symbolic links in argoproj/argo-workflows
High
CVE-2025-66626
was published
for
github.com/argoproj/argo-workflows
(Go)
Dec 9, 2025
KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes
Moderate
CVE-2025-64437
was published
for
kubevirt.io/kubevirt
(Go)
Nov 6, 2025
ProTip!
Advisories are also available from the
GraphQL API