GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
21 advisories
Filter by severity
Mercurial Path Traversal/Link Following vulnerability
Moderate
CVE-2019-3902
was published
for
mercurial
(pip)
Feb 15, 2022
instack-undercloud vulnerable to symlink attack on tmp files
Moderate
CVE-2017-7549
was published
for
instack-undercloud
(pip)
May 13, 2022
Improper Link Resolution Before File Access in pip
Moderate
CVE-2013-1888
was published
for
pip
(pip)
May 13, 2022
keycloak-httpd-client-install symlink attack vulnerability
Moderate
CVE-2017-15111
was published
for
keycloak-httpd-client-install
(pip)
May 14, 2022
Improper Link Resolution Before File Access in Suds
Moderate
CVE-2013-2217
was published
for
suds
(pip)
May 14, 2022
eyeD3 is vulnerable to arbitrary file modification via symlink attack
Moderate
CVE-2014-1934
was published
for
eyeD3
(pip)
May 14, 2022
Openstack DBaaS (Trove) Improper Link Resolution Before File Access
Moderate
CVE-2015-3156
was published
for
trove
(pip)
May 17, 2022
ocrodjvu is vulnerable to Arbitrary File Modification via symlink attack
Moderate
CVE-2010-4338
was published
for
ocrodjvu
(pip)
May 17, 2022
Virtualenv Allows Symlink Attack on /tmp/
Moderate
CVE-2011-4617
was published
for
virtualenv
(pip)
May 17, 2022
Fabric vulnerable to symlink attack on tmp files
Moderate
CVE-2011-2185
was published
for
fabric
(pip)
May 17, 2022
binwalk vulnerable to UNIX Symbolic Link (Symlink) Following
Moderate
CVE-2021-4287
was published
for
binwalk
(pip)
Dec 27, 2022
pip's fallback tar extraction doesn't check symbolic links point to extraction directory
Moderate
CVE-2025-8869
was published
for
pip
(pip)
Sep 24, 2025
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation
Moderate
CVE-2025-68146
was published
for
filelock
(pip)
Dec 16, 2025
filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
Moderate
CVE-2026-22701
was published
for
filelock
(pip)
Jan 13, 2026
virtualenv Has TOCTOU Vulnerabilities in Directory Creation
Moderate
CVE-2026-22702
was published
for
virtualenv
(pip)
Jan 13, 2026
Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape
Moderate
CVE-2026-34452
was published
for
anthropic
(pip)
Apr 1, 2026
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
Moderate
CVE-2026-28684
was published
for
python-dotenv
(pip)
Apr 21, 2026
BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context
Moderate
CVE-2026-40610
was published
for
bentoml
(pip)
May 7, 2026
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders
Moderate
GHSA-gr75-jv2w-4656
was published
for
langchain
(pip)
Jun 16, 2026
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size
Moderate
GHSA-4xgf-cpjx-pc3j
was published
for
pydantic-settings
(pip)
Jun 19, 2026
ProTip!
Advisories are also available from the
GraphQL API