Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,196
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,483
Pub
12
RubyGems
992
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

28 advisories

Loading
mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs High
CVE-2021-30465 was published for github.com/opencontainers/runc (Go) May 25, 2021
champtar Credited to champtar
Memory safety violation in crayon High
CVE-2020-35889 was published for crayon (Rust) Aug 25, 2021
Miner fails to get block template when a cell used as a cell dep has been destroyed. High
GHSA-v666-6w97-pcwm was published for ckb (Rust) Aug 25, 2021
Race condition in Apache Tomcat High
CVE-2022-23181 was published for org.apache.tomcat:tomcat (Maven) Feb 1, 2022
Insecure temporary file in Tensorflow High
CVE-2022-23563 was published for tensorflow (pip) Feb 9, 2022
Race Condition in Grunt High
CVE-2022-1537 was published for grunt (npm) May 11, 2022
NuGet Client Remote Code Execution Vulnerability High
CVE-2023-29337 was published for Microsoft.Build.NuGetSdkResolver (NuGet) Jun 14, 2023
FoodCoopShop Server-Side Request Forgery vulnerability High
CVE-2023-46725 was published for foodcoopshop/foodcoopshop (Composer) Nov 2, 2023
asesidaa Credited to asesidaa and mrothauer mrothauer mrothauer
Buildkite Elastic CI for AWS time-of-check-time-of-use race condition vulnerability High
CVE-2023-43741 was published for github.com/buildkite/elastic-ci-stack-for-aws/v6 (Go) Dec 22, 2023
OpenStack Storlets arbitrary code execution vulnerability High
CVE-2024-28717 was published for storlets (pip) Apr 22, 2024
Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability High
CVE-2024-50379 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Dec 17, 2024
biehl1 Credited to biehl1
Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability High
CVE-2024-56337 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Dec 20, 2024
greengeko Credited to greengeko
ASTEVAL Allows Malicious Tampering of Exposed AST Nodes Leads to Sandbox Escape High
GHSA-vp47-9734-prjw was published for asteval (pip) Jan 23, 2025
SteakEnthusiast Credited to SteakEnthusiast
containerd allows host filesystem access on pull High
CVE-2025-47290 was published for github.com/containerd/containerd/v2 (Go) May 21, 2025
tonistiigi Credited to tonistiigi
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS High
CVE-2026-23950 was published for tar (npm) Jan 21, 2026
tomasilluminati Credited to tomasilluminati, ssushant0011, and urielcos ssushant0011 ssushant0011
urielcos urielcos
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding High
CVE-2026-27127 was published for craftcms/cms (Composer) Feb 23, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
OpenClaw's TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries High
GHSA-x82f-27x3-q89c was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox media TOCTOU could read files outside sandbox root High
GHSA-7xmq-g46g-f8pv was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind High
GHSA-q399-23r3-hfx4 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind High
CVE-2026-27545 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host High
GHSA-mwcg-wfq3-4gjc was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured High
CVE-2026-22181 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind High
GHSA-r54r-wmmq-mh84 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
CoreDNS ACL Bypass High
CVE-2026-26017 was published for github.com/coredns/coredns (Go) Mar 6, 2026
YOUNEVSKY Credited to YOUNEVSKY
Sylius has a Promotion Usage Limit Bypass via Race Condition High
CVE-2026-31824 was published for sylius/sylius (Composer) Mar 11, 2026
whiteov3rflow Credited to whiteov3rflow and bnBart bnBart bnBart
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database