Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

111 advisories

Loading
This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia... Moderate Unreviewed
CVE-2025-43278 was published Jun 11, 2026
PDM: Project-Local State and Config Writes Follow Symlinks Moderate
CVE-2026-47763 was published for pdm (pip) Jun 10, 2026
xuemian168 Credited to xuemian168 and ZejiHui ZejiHui ZejiHui
skillctl: Path traversal and symlink-follow in skillctl allow arbitrary file disclosure and deletion High
GHSA-wx3m-whqv-xv47 was published for skillctl (Rust) Jun 5, 2026
Docker: Race condition in docker cp allows bind mount redirection to host path High
CVE-2026-42306 was published for github.com/docker/docker (Go) May 18, 2026
vvoland Credited to vvoland
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap Moderate
CVE-2026-41568 was published for github.com/docker/docker (Go) May 18, 2026
manizada Credited to manizada and vvoland vvoland vvoland
Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload... High Unreviewed
CVE-2026-41937 was published May 14, 2026
Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin... High Unreviewed
CVE-2026-6475 was published May 14, 2026
pgAdmin 4 File Manager has symbolic-link path traversal High
CVE-2026-7819 was published for pgadmin4 (pip) May 11, 2026
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing... High Unreviewed
CVE-2026-29203 was published May 8, 2026
astral-tokio-tar: `unpack_in` can chmod arbitrary directories by following symlinks Low
GHSA-xx64-wwv2-hcqq was published for astral-tokio-tar (Rust) May 6, 2026
LawnGnome Credited to LawnGnome and woodruffw woodruffw woodruffw
OpenClaw contains a symlink traversal vulnerability Moderate
CVE-2026-43570 was published for openclaw (npm) May 5, 2026
Kata Container has CopyFile Policy Subversion via Symlinks High
CVE-2026-41326 was published for github.com/kata-containers/kata-containers (Go) May 4, 2026
fitzthum Credited to fitzthum, calonso-nv, fikriwahab, burgerdev, danmihai1, jojimt, fidencio, and kodareef5 calonso-nv calonso-nv
fikriwahab fikriwahab burgerdev burgerdev danmihai1 danmihai1 jojimt jojimt fidencio fidencio kodareef5 kodareef5
zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write High
CVE-2026-42275 was published for github.com/openziti/zrok (Go) Apr 25, 2026
bugbunny-research Credited to bugbunny-research
uutils coreutils has a UNIX Symbolic Link (Symlink) Following issue Moderate
CVE-2026-35372 was published for coreutils (Rust) Apr 22, 2026
Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace High
CVE-2026-39861 was published for @anthropic-ai/claude-code (npm) Apr 21, 2026
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback Moderate
CVE-2026-28684 was published for python-dotenv (pip) Apr 21, 2026
tsigouris007 Credited to tsigouris007 and bbc2 bbc2 bbc2
Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash... Low Unreviewed
CVE-2026-40354 was published Apr 11, 2026
Duplicate Advisory: OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013) Moderate
GHSA-pmf3-2q63-jmp6 was published for openclaw (npm) Apr 10, 2026 withdrawn
A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS... High Unreviewed
CVE-2026-21916 was published Apr 10, 2026
LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates High
CVE-2026-35525 was published for liquidjs (npm) Apr 8, 2026
Jvr2022 Credited to Jvr2022
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host High
CVE-2026-41364 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
ONNX: External Data Symlink Traversal Moderate
CVE-2026-34447 was published for onnx (pip) Apr 1, 2026
jayashwaS Credited to jayashwaS
ONNX: Arbitrary File Read via ExternalData Hardlink Bypass in ONNX load Moderate
CVE-2026-34446 was published for onnx (pip) Apr 1, 2026
ZeroXJacks Credited to ZeroXJacks
Dell AppSync, version(s) 4.6.0, contain(s) an UNIX Symbolic Link (Symlink) Following... High Unreviewed
CVE-2026-22767 was published Apr 1, 2026
onnx Vulnerable to Path Traversal via Symlink High
CVE-2026-27489 was published for onnx (pip) Mar 31, 2026
pi3ch Credited to pi3ch
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database