GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
54 advisories
Filter by severity
Arbitrary File Overwrite in fstream
High
CVE-2019-13173
was published
for
fstream
(npm)
May 30, 2019
Arbitrary File Read in Snyk Broker
Moderate
CVE-2020-7653
was published
for
snyk-broker
(npm)
Jun 3, 2020
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
High
CVE-2021-32803
was published
for
tar
(npm)
Aug 3, 2021
UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
High
CVE-2021-39135
was published
for
@npmcli/arborist
(npm)
Aug 31, 2021
@npmcli/arborist vulnerable to UNIX Symbolic Link (Symlink) Following
High
CVE-2021-39134
was published
for
@npmcli/arborist
(npm)
Aug 31, 2021
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
High
CVE-2021-37712
was published
for
tar
(npm)
Aug 31, 2021
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
High
CVE-2021-37701
was published
for
tar
(npm)
Aug 31, 2021
Ghost vulnerable to arbitrary file read via symlinks in content import
Moderate
CVE-2023-40028
was published
for
ghost
(npm)
Aug 15, 2023
@modelcontextprotocol/server-filesystem allows for path validation bypass via prefix matching and symlink handling
High
CVE-2025-53109
was published
for
@modelcontextprotocol/server-filesystem
(npm)
Jul 1, 2025
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
Low
CVE-2025-54798
was published
for
tmp
(npm)
Aug 6, 2025
n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files
Moderate
CVE-2025-57749
was published
for
n8n
(npm)
Aug 20, 2025
Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
High
CVE-2026-24046
was published
for
@backstage/backend-defaults
(npm)
Jan 21, 2026
@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass
Moderate
CVE-2026-24047
was published
for
@backstage/cli-common
(npm)
Jan 21, 2026
pnpm has symlink traversal in file:/git dependencies
Moderate
CVE-2026-24056
was published
for
pnpm
(npm)
Jan 26, 2026
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
High
CVE-2026-24842
was published
for
tar
(npm)
Jan 28, 2026
Compressing Vulnerable to Arbitrary File Write via Symlink Extraction
High
CVE-2026-24884
was published
for
compressing
(npm)
Feb 3, 2026
OpenClaw's TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries
High
GHSA-x82f-27x3-q89c
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw: Sandbox media TOCTOU could read files outside sandbox root
High
GHSA-7xmq-g46g-f8pv
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw has browser trace/download path symlink escape in temp output handling
Moderate
CVE-2026-32054
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
Critical
CVE-2026-32013
was published
for
openclaw
(npm)
Mar 2, 2026
ProTip!
Advisories are also available from the
GraphQL API