Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

188 advisories

Loading
File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope Moderate
CVE-2026-54094 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
DavidCarliez Credited to DavidCarliez, hacdias, m2hcz, and alanturing881 hacdias hacdias
m2hcz m2hcz alanturing881 alanturing881
Sparkle: Binary delta apply intermediate-symlink traversal in malicious .delta Moderate
CVE-2026-47121 was published for github.com/sparkle-project/Sparkle (Swift) May 29, 2026
fg0x0 Credited to fg0x0
Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path High
CVE-2026-41236 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree High
CVE-2026-45539 was published for apm (pip) May 18, 2026
thesmartshadow Credited to thesmartshadow
Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update High
CVE-2026-44881 was published for github.com/portainer/portainer (Go) May 14, 2026
b-hermes Credited to b-hermes
HashiCorp Nomad vulnerable to symlink attack Moderate
CVE-2026-6959 was published for github.com/hashicorp/nomad (Go) May 12, 2026
HashiCorp Nomad’s exec2 task driver vulnerable to a symlink attack Moderate
CVE-2026-8052 was published for github.com/hashicorp/nomad-driver-exec2 (Go) May 12, 2026
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir` High
CVE-2026-44340 was published for PraisonAI (pip) May 11, 2026
DHIRAL2908 Credited to DHIRAL2908
BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context Moderate
CVE-2026-40610 was published for bentoml (pip) May 7, 2026
larlarua Credited to larlarua
vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape High
CVE-2026-43998 was published for vm2 (npm) May 7, 2026
bugbunny-research Credited to bugbunny-research
gix-fs: Symlink prefix-reuse allows worktree escape during checkout High
CVE-2026-44471 was published for gix-fs (Rust) May 7, 2026
LawnGnome Credited to LawnGnome
ciguard: discover_pipeline_files follows symlinks out of scan root Low
CVE-2026-44220 was published for ciguard (pip) May 5, 2026
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root High
CVE-2026-42574 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal, antitree, markusthoemmes, and vamsik2k5 antitree antitree
markusthoemmes markusthoemmes vamsik2k5 vamsik2k5
Contras Affected by CopyFile Policy Subversion via Symlinks High
GHSA-rh99-wc69-c255 was published for github.com/edgelesssys/contrast (Go) Apr 30, 2026
Spring Boot's PID file write follows symlinks at predictable default path Moderate
CVE-2026-40977 was published for org.springframework.boot:spring-boot-cassandra (Maven) Apr 28, 2026
Duplicate Advisory: OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host High
GHSA-5799-3xg7-rfrv was published for openclaw (npm) Apr 28, 2026 withdrawn
uutils coreutils has a Link Following issue Moderate
CVE-2026-35359 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Link Following Issue Via rm Utility Moderate
CVE-2026-35349 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Link Following issue Moderate
CVE-2026-35365 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Link Following Issue Moderate
CVE-2026-35345 was published for coreutils (Rust) Apr 22, 2026
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback Moderate
CVE-2026-28684 was published for python-dotenv (pip) Apr 21, 2026
tsigouris007 Credited to tsigouris007 and bbc2 bbc2 bbc2
OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR High
CVE-2026-41433 was published for go.opentelemetry.io/obi (Go) Apr 17, 2026
MrAlias Credited to MrAlias and arminru arminru arminru
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing High
CVE-2026-40931 was published for compressing (npm) Apr 17, 2026
sachinpatilpsp Credited to sachinpatilpsp and IAMolofficial IAMolofficial IAMolofficial
Weblate: Arbitrary File Read via Symlink High
CVE-2026-34242 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez
Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron High
CVE-2026-41231 was published for froxlor/froxlor (Composer) Apr 16, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database