Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,498 advisories

Loading
Prompty: Arbitrary file read via file reference expansion High
CVE-2026-53598 was published for @prompty/core (npm) Jul 17, 2026
nimiq-primitives: Out-of-bounds panic in KeyNibbles::Add from oversized child suffix in a deserialized proof Low
CVE-2026-54542 was published for nimiq-primitives (Rust) Jul 16, 2026
paberr Credited to paberr and Piravlos Piravlos Piravlos
nimiq-primitives: Panic in TrieProof::verify via child_index unwrap on equal-length keys Low
CVE-2026-54541 was published for nimiq-primitives (Rust) Jul 16, 2026
paberr Credited to paberr and Piravlos Piravlos Piravlos
serde_with: KeyValueMap serialization panics on empty sequence or map entries Moderate
GHSA-7gcf-g7xr-8hxj was published for serde_with (Rust) Jul 15, 2026
7thParkk Credited to 7thParkk
Wasmtime: Memory leak in C API with `externref` and `anyref` types Low
CVE-2025-61670 was published for wasmtime-bin (pip) Jul 14, 2026
alexcrichton Credited to alexcrichton
`exploration` was removed from crates.io for malicious code Critical
GHSA-99j7-fhr2-xfj4 was published for exploration (Rust) Jul 10, 2026
Lechu69 Credited to Lechu69
Rattler vulnerable to package cache path traversal via conda package build string Moderate
CVE-2026-53956 was published for py_rattler (pip) Jul 9, 2026
OneRingBuf has a Use After Free Vulnerability Moderate
GHSA-q95x-7g78-rccv was published for oneringbuf (Rust) Jul 8, 2026
async-tar PAX extension-header desync enables tar entry/content smuggling Moderate
CVE-2026-53600 was published for async-tar (Rust) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path Low
GHSA-cwv4-h3j5-w3cf was published for rama (Rust) Jul 7, 2026
chaitanyagarware Credited to chaitanyagarware
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort) Moderate
CVE-2026-53531 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice) High
CVE-2026-53530 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
cut: -s ignored in -z -d '' newline-delimiter mode Low
CVE-2026-35381 was published for uu_cut (Rust) Jul 6, 2026
mknod: Device nodes created mislabeled on SELinux, with broken cleanup (remove_dir on a node) Low
CVE-2026-35361 was published for uu_mknod (Rust) Jul 6, 2026
mkfifo: permissions of an existing file are changed after FIFO creation fails High
CVE-2026-35341 was published for uu_mkfifo (Rust) Jul 6, 2026
defuse Credited to defuse, nuttycom, daira, conradoplg, mpguerra, and alchemydc nuttycom nuttycom
daira daira conradoplg conradoplg mpguerra mpguerra alchemydc alchemydc
printenv: environment variables with invalid UTF-8 are silently skipped (evades inspection) Moderate
CVE-2026-35366 was published for uu_printenv (Rust) Jul 6, 2026
uucore: safe_traversal TOCTOU protection only enabled on Linux Low
CVE-2026-35362 was published for uucore (Rust) Jul 6, 2026
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication) Moderate
CVE-2026-35365 was published for uu_mv (Rust) Jul 6, 2026
cp: -R reads device nodes as streams, destroying device semantics Moderate
CVE-2026-35358 was published for uu_cp (Rust) Jul 6, 2026
comm: FIFO/pipe inputs are drained before comparison (data loss / hang) Moderate
CVE-2026-35347 was published for uu_comm (Rust) Jul 6, 2026
ProTip! Advisories are also available from the GraphQL API