Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

54 advisories

Loading
Symlink Arbitrary File Overwrite in tar High
CVE-2015-8860 was published for tar (npm) Oct 24, 2017
Arbitrary File Overwrite in tar High
CVE-2018-20834 was published for tar (npm) May 1, 2019
Arbitrary File Overwrite in fstream High
CVE-2019-13173 was published for fstream (npm) May 30, 2019
Arbitrary File Write in npm High
CVE-2019-16775 was published for npm (npm) Dec 13, 2019
DanielRuf Credited to DanielRuf
Arbitrary File Read in Snyk Broker Moderate
CVE-2020-7653 was published for snyk-broker (npm) Jun 3, 2020
Local Privilege Escalation in npm Low
CVE-2013-4116 was published for npm (npm) Sep 1, 2020
Path Traversal in decompress Critical
CVE-2020-12265 was published for decompress (npm) Sep 3, 2020
tdunlap607 Credited to tdunlap607
ginkoid Credited to ginkoid, chen-robert, and levpachmanov chen-robert chen-robert
levpachmanov levpachmanov
UNIX Symbolic Link (Symlink) Following in @npmcli/arborist High
CVE-2021-39135 was published for @npmcli/arborist (npm) Aug 31, 2021
JarLob Credited to JarLob and KateCatlin KateCatlin KateCatlin
@npmcli/arborist vulnerable to UNIX Symbolic Link (Symlink) Following High
CVE-2021-39134 was published for @npmcli/arborist (npm) Aug 31, 2021
ginkoid Credited to ginkoid and chen-robert chen-robert chen-robert
JarLob Credited to JarLob, chen-robert, ginkoid, and levpachmanov chen-robert chen-robert
ginkoid ginkoid levpachmanov levpachmanov
chen-robert Credited to chen-robert, ginkoid, and levpachmanov ginkoid ginkoid
levpachmanov levpachmanov
Ghost vulnerable to arbitrary file read via symlinks in content import Moderate
CVE-2023-40028 was published for ghost (npm) Aug 15, 2023
ixSly Credited to ixSly
@modelcontextprotocol/server-filesystem allows for path validation bypass via prefix matching and symlink handling High
CVE-2025-53109 was published for @modelcontextprotocol/server-filesystem (npm) Jul 1, 2025
dellalibera Credited to dellalibera
n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files Moderate
CVE-2025-57749 was published for n8n (npm) Aug 20, 2025
Mahmoud0x00 Credited to Mahmoud0x00
Backstage has a Possible Symlink Path Traversal in Scaffolder Actions High
CVE-2026-24046 was published for @backstage/backend-defaults (npm) Jan 21, 2026
@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass Moderate
CVE-2026-24047 was published for @backstage/cli-common (npm) Jan 21, 2026
pnpm has symlink traversal in file:/git dependencies Moderate
CVE-2026-24056 was published for pnpm (npm) Jan 26, 2026
mldangelo Credited to mldangelo
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal High
CVE-2026-24842 was published for tar (npm) Jan 28, 2026
mistersiddd Credited to mistersiddd
Compressing Vulnerable to Arbitrary File Write via Symlink Extraction High
CVE-2026-24884 was published for compressing (npm) Feb 3, 2026
Heeqw Credited to Heeqw
tdjackey Credited to tdjackey
OpenClaw: Sandbox media TOCTOU could read files outside sandbox root High
GHSA-7xmq-g46g-f8pv was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw has browser trace/download path symlink escape in temp output handling Moderate
CVE-2026-32054 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write Critical
CVE-2026-32013 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API