Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

193 advisories

Loading
Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory Moderate
CVE-2026-53765 was published for chrome-devtools-mcp (npm) Jun 17, 2026
enable7997 Credited to enable7997
Crawl4AI: Arbitrary file write (symlink/TOCTOU) plus log and webhook-header injection in Docker server High
GHSA-7cx2-g3h9-382p was published for crawl4ai (pip) Jun 16, 2026
Hugo: Symlink confinement bypass in resources.Get Moderate
CVE-2026-50135 was published for github.com/gohugoio/hugo (Go) Jun 16, 2026
unknownhad Credited to unknownhad
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders Moderate
GHSA-gr75-jv2w-4656 was published for langchain (pip) Jun 16, 2026
Mistz1 Credited to Mistz1 and deprrous deprrous deprrous
Microsoft Security Advisory CVE-2026-45491 – .NET Tampering Vulnerability Moderate
CVE-2026-45491 was published for Microsoft.NETCore.App.Runtime.linux-x64 (NuGet) Jun 16, 2026
File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope Moderate
CVE-2026-54094 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
DavidCarliez Credited to DavidCarliez, hacdias, m2hcz, and alanturing881 hacdias hacdias
m2hcz m2hcz alanturing881 alanturing881
Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path High
CVE-2026-41236 was published for froxlor/froxlor (Composer) May 29, 2026
larlarua Credited to larlarua
Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update High
CVE-2026-44881 was published for github.com/portainer/portainer (Go) May 14, 2026
b-hermes Credited to b-hermes
BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context Moderate
CVE-2026-40610 was published for bentoml (pip) May 7, 2026
larlarua Credited to larlarua
ONNX: TOCTOU arbitrary file read/write in save_external_dat High
GHSA-q56x-g2fj-4rj6 was published for onnx (pip) Apr 1, 2026
tsigouris007 Credited to tsigouris007 and kpatsakis kpatsakis kpatsakis
instack-undercloud vulnerable to symlink attack on tmp files Moderate
CVE-2017-7549 was published for instack-undercloud (pip) May 13, 2022
Git LFS may write to arbitrary files via crafted symlinks High
CVE-2025-26625 was published for github.com/git-lfs/git-lfs (Go) Oct 17, 2025
Sparkle: Binary delta apply intermediate-symlink traversal in malicious .delta Moderate
CVE-2026-47121 was published for github.com/sparkle-project/Sparkle (Swift) May 29, 2026
fg0x0 Credited to fg0x0
HashiCorp Nomad vulnerable to symlink attack Moderate
CVE-2026-6959 was published for github.com/hashicorp/nomad (Go) May 12, 2026
HashiCorp Nomad’s exec2 task driver vulnerable to a symlink attack Moderate
CVE-2026-8052 was published for github.com/hashicorp/nomad-driver-exec2 (Go) May 12, 2026
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree High
CVE-2026-45539 was published for apm (pip) May 18, 2026
thesmartshadow Credited to thesmartshadow
ciguard: discover_pipeline_files follows symlinks out of scan root Low
CVE-2026-44220 was published for ciguard (pip) May 5, 2026
gix-fs: Symlink prefix-reuse allows worktree escape during checkout High
CVE-2026-44471 was published for gix-fs (Rust) May 7, 2026
LawnGnome Credited to LawnGnome
vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape High
CVE-2026-43998 was published for vm2 (npm) May 7, 2026
bugbunny-research Credited to bugbunny-research
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root High
CVE-2026-42574 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal, antitree, markusthoemmes, and vamsik2k5 antitree antitree
markusthoemmes markusthoemmes vamsik2k5 vamsik2k5
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir` High
CVE-2026-44340 was published for PraisonAI (pip) May 11, 2026
DHIRAL2908 Credited to DHIRAL2908
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal High
CVE-2026-41397 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host High
CVE-2026-41364 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
Duplicate Advisory: OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host High
GHSA-5799-3xg7-rfrv was published for openclaw (npm) Apr 28, 2026 withdrawn
Spring Boot's PID file write follows symlinks at predictable default path Moderate
CVE-2026-40977 was published for org.springframework.boot:spring-boot-cassandra (Maven) Apr 28, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database