Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

78 advisories

Loading
@babel/core: Arbitrary File Read via sourceMappingURL Comment Low
CVE-2026-49356 was published for @babel/core (npm) Jun 15, 2026
radoi-teodor Credited to radoi-teodor, JLHwung, nicolo-ribaudo, and liuxingbaoyu JLHwung JLHwung
nicolo-ribaudo nicolo-ribaudo liuxingbaoyu liuxingbaoyu
esbuild allows arbitrary file read when running the development server on Windows Low
GHSA-g7r4-m6w7-qqqr was published for esbuild (npm) Jun 12, 2026
dellalibera Credited to dellalibera
TYPO3 CMS has Broken Access Control in its File Abstraction Layer Low
CVE-2026-49738 was published for typo3/cms-core (Composer) Jun 12, 2026
Dulwich doesn't sanitize commit subjects in `porcelain.format_patch` Low
CVE-2026-47712 was published for dulwich (pip) Jun 8, 2026
ctoth Credited to ctoth and jelmer jelmer jelmer
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic Low
CVE-2026-45723 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
androidqf: APK download Path Traversal in device APK paths Low
GHSA-763j-3p5v-jfc6 was published for github.com/mvt-project/androidqf (Go) May 21, 2026
androidqf: Zip entry Name Injection in APK bundle (Zip Slip for zip consumers) Low
GHSA-jf2q-463c-6f52 was published for github.com/mvt-project/androidqf (Go) May 21, 2026
AstrBot: File upload vulnerability in the function post_file of the file astrbot/dashboard/routes/chat.py Low
CVE-2026-8754 was published for AstrBot (pip) May 17, 2026
Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed Low
CVE-2026-42448 was published for magic-wormhole (pip) May 6, 2026
@puchunjie/doc-tools-mcp has a Path Traversal Issue Low
CVE-2026-7738 was published for @puchunjie/doc-tools-mcp (npm) May 4, 2026
Ollama is Vulnerable to Path Traversal Low
CVE-2026-7020 was published for github.com/ollama/ollama (Go) Apr 26, 2026
melange has Path Traversal via .PKGINFO in --persist-lint-results Low
CVE-2026-29051 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal, antitree, and egibs antitree antitree
egibs egibs
Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4 Low
CVE-2026-41140 was published for poetry (pip) Apr 22, 2026
kodareef5 Credited to kodareef5 and radoering radoering radoering
Zio has SubFileSystem Path Confinement Bypass via Unresolved `..` Segment Low
GHSA-h39g-6x3c-7fq9 was published for Zio (NuGet) Apr 18, 2026
SUT0L Credited to SUT0L
uv vulnerable to arbitrary file deletion through RECORD entries Low
GHSA-pjjw-68hj-v9mw was published for uv (pip) Apr 10, 2026
konstin Credited to konstin, zanieb, woodruffw, EliteTK, and CodeByMoriarty zanieb zanieb
woodruffw woodruffw EliteTK EliteTK CodeByMoriarty CodeByMoriarty
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE Low
CVE-2026-33529 was published for github.com/tobychui/zoraxy (Go) Mar 25, 2026
JakePeralta7 Credited to JakePeralta7
Vaadin: Specially crafted ZIP archives can escape the intended extraction directory Low
CVE-2026-2741 was published for com.vaadin:flow-project (Maven) Mar 10, 2026
dbt-common's commonprefix() doesn't protect against path traversal Low
CVE-2026-29790 was published for dbt-common (pip) Mar 5, 2026
sethmlarson Credited to sethmlarson and emmyoop emmyoop emmyoop
Backstage vulnerable to potential reading of SCM URLs using built in token Low
CVE-2026-29185 was published for @backstage/integration (npm) Mar 5, 2026
OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read Low
CVE-2026-32020 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
pip Path Traversal vulnerability Low
CVE-2026-1703 was published for pip (pip) Feb 2, 2026
Container and Containerization archive extraction does not guard against escapes from extraction base directory. Low
CVE-2026-20613 was published for github.com/apple/container (Swift) Jan 22, 2026
LLfam Credited to LLfam
AIOHTTP vulnerable to brute-force leak of internal static file path components Low
CVE-2025-69226 was published for aiohttp (pip) Jan 5, 2026
ThomasRinsma Credited to ThomasRinsma, Dreamsorcerer, and bdraco Dreamsorcerer Dreamsorcerer
bdraco bdraco
alexusmai laravel-file-manager is vulnerable to Directory Traversal Low
CVE-2025-65345 was published for alexusmai/laravel-file-manager (Composer) Dec 3, 2025
Resty has a Path Traversal vulnerability Low
CVE-2025-13435 was published for cn.dreampie:resty (Maven) Nov 20, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database