Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

81 advisories

Loading
@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write Moderate
CVE-2026-46406 was published for @anthropic-ai/claude-code (npm) Jun 25, 2026
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size Moderate
GHSA-4xgf-cpjx-pc3j was published for pydantic-settings (pip) Jun 19, 2026
Faze-up Credited to Faze-up
Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups Moderate
GHSA-6x2m-p4xp-wg22 was published for network-ai (npm) Jun 19, 2026
sondt99 Credited to sondt99
go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination) Moderate
CVE-2026-55828 was published for go.qbee.io/transport (Go) Jun 19, 2026
ttzero25 Credited to ttzero25
Hugo: Symlink confinement bypass in os.ReadFile Moderate
GHSA-c3wq-j5vh-68rc was published for github.com/gohugoio/hugo (Go) Jun 19, 2026
vnth4nhnt Credited to vnth4nhnt
Podman: WORKDIR symlink traversal vulnerability Moderate
CVE-2026-55686 was published for github.com/containers/podman/v3 (Go) Jun 18, 2026
eriksjolund Credited to eriksjolund
Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory Moderate
CVE-2026-53765 was published for chrome-devtools-mcp (npm) Jun 17, 2026
enable7997 Credited to enable7997
Hugo: Symlink confinement bypass in resources.Get Moderate
CVE-2026-50135 was published for github.com/gohugoio/hugo (Go) Jun 16, 2026
unknownhad Credited to unknownhad
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders Moderate
GHSA-gr75-jv2w-4656 was published for langchain (pip) Jun 16, 2026
Mistz1 Credited to Mistz1 and deprrous deprrous deprrous
Microsoft Security Advisory CVE-2026-45491 – .NET Tampering Vulnerability Moderate
CVE-2026-45491 was published for Microsoft.NETCore.App.Runtime.linux-x64 (NuGet) Jun 16, 2026
File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope Moderate
CVE-2026-54094 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
DavidCarliez Credited to DavidCarliez, hacdias, m2hcz, and alanturing881 hacdias hacdias
m2hcz m2hcz alanturing881 alanturing881
Sparkle: Binary delta apply intermediate-symlink traversal in malicious .delta Moderate
CVE-2026-47121 was published for github.com/sparkle-project/Sparkle (Swift) May 29, 2026
fg0x0 Credited to fg0x0
HashiCorp Nomad vulnerable to symlink attack Moderate
CVE-2026-6959 was published for github.com/hashicorp/nomad (Go) May 12, 2026
HashiCorp Nomad’s exec2 task driver vulnerable to a symlink attack Moderate
CVE-2026-8052 was published for github.com/hashicorp/nomad-driver-exec2 (Go) May 12, 2026
BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context Moderate
CVE-2026-40610 was published for bentoml (pip) May 7, 2026
larlarua Credited to larlarua
Spring Boot's PID file write follows symlinks at predictable default path Moderate
CVE-2026-40977 was published for org.springframework.boot:spring-boot-cassandra (Maven) Apr 28, 2026
uutils coreutils has a Link Following Issue Via rm Utility Moderate
CVE-2026-35349 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Link Following issue Moderate
CVE-2026-35359 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Link Following issue Moderate
CVE-2026-35365 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Link Following Issue Moderate
CVE-2026-35345 was published for coreutils (Rust) Apr 22, 2026
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback Moderate
CVE-2026-28684 was published for python-dotenv (pip) Apr 21, 2026
tsigouris007 Credited to tsigouris007 and bbc2 bbc2 bbc2
Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape Moderate
CVE-2026-34452 was published for anthropic (pip) Apr 1, 2026
Duplicate Advisory: OpenClaw has browser trace/download path symlink escape in temp output handling Moderate
GHSA-ffr4-mrhv-vfr2 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace Moderate
GHSA-2cwr-f5hx-gg3w was published for openclaw (npm) Mar 19, 2026 withdrawn
Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication Moderate
CVE-2026-2808 was published for github.com/hashicorp/consul (Go) Mar 12, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database