Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

39 advisories

Loading
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree High
CVE-2026-45539 was published for apm (pip) May 18, 2026
thesmartshadow Credited to thesmartshadow
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir` High
CVE-2026-44340 was published for PraisonAI (pip) May 11, 2026
DHIRAL2908 Credited to DHIRAL2908
BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context Moderate
CVE-2026-40610 was published for bentoml (pip) May 7, 2026
larlarua Credited to larlarua
ciguard: discover_pipeline_files follows symlinks out of scan root Low
CVE-2026-44220 was published for ciguard (pip) May 5, 2026
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback Moderate
CVE-2026-28684 was published for python-dotenv (pip) Apr 21, 2026
tsigouris007 Credited to tsigouris007 and bbc2 bbc2 bbc2
Weblate: Arbitrary File Read via Symlink High
CVE-2026-34242 was published for weblate (pip) Apr 16, 2026
DavidCarliez Credited to DavidCarliez
ONNX: TOCTOU arbitrary file read/write in save_external_dat High
GHSA-q56x-g2fj-4rj6 was published for onnx (pip) Apr 1, 2026
tsigouris007 Credited to tsigouris007 and kpatsakis kpatsakis kpatsakis
Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape Moderate
CVE-2026-34452 was published for anthropic (pip) Apr 1, 2026
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction High
CVE-2026-27905 was published for bentoml (pip) Mar 3, 2026
q1uf3ng Credited to q1uf3ng
virtualenv Has TOCTOU Vulnerabilities in Directory Creation Moderate
CVE-2026-22702 was published for virtualenv (pip) Jan 13, 2026
tsigouris007 Credited to tsigouris007
filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock Moderate
CVE-2026-22701 was published for filelock (pip) Jan 13, 2026
tsigouris007 Credited to tsigouris007
Weblate has an arbitrary file read via symbolic links High
CVE-2025-68279 was published for Weblate (pip) Dec 18, 2025
secjson Credited to secjson and nijel nijel nijel
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation Moderate
CVE-2025-68146 was published for filelock (pip) Dec 16, 2025
tsigouris007 Credited to tsigouris007 and gaborbernat gaborbernat gaborbernat
pip's fallback tar extraction doesn't check symbolic links point to extraction directory Moderate
CVE-2025-8869 was published for pip (pip) Sep 24, 2025
cai0duque Credited to cai0duque, bentasker, swils23, ichard26, and gcbirzan-plutoflume bentasker bentasker
swils23 swils23 ichard26 ichard26 gcbirzan-plutoflume gcbirzan-plutoflume
GluonCV Arbitrary File Write via TarSlip High
CVE-2024-12216 was published for gluoncv (pip) Mar 20, 2025
qdrant input validation failure Critical
CVE-2024-3829 was published for qdrant-client (pip) Jun 3, 2024
binwalk vulnerable to UNIX Symbolic Link (Symlink) Following Moderate
CVE-2021-4287 was published for binwalk (pip) Dec 27, 2022
Fabric vulnerable to symlink attack on tmp files Moderate
CVE-2011-2185 was published for fabric (pip) May 17, 2022
Virtualenv Allows Symlink Attack on /tmp/ Moderate
CVE-2011-4617 was published for virtualenv (pip) May 17, 2022
PIL and Pillow Vulnerable to Symlink Attack on Tmpfiles High
CVE-2014-1932 was published for pillow (pip) May 17, 2022
ocrodjvu is vulnerable to Arbitrary File Modification via symlink attack Moderate
CVE-2010-4338 was published for ocrodjvu (pip) May 17, 2022
Openstack DBaaS (Trove) Improper Link Resolution Before File Access Moderate
CVE-2015-3156 was published for trove (pip) May 17, 2022
pyxdg Arbitrary File Overwrite via Race Condition Low
CVE-2014-1624 was published for pyxdg (pip) May 17, 2022
SaltStack Salt Insecure Temporary File Creation High
CVE-2014-3563 was published for salt (pip) May 17, 2022
eyeD3 is vulnerable to arbitrary file modification via symlink attack Moderate
CVE-2014-1934 was published for eyeD3 (pip) May 14, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database