GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
63 advisories
Filter by severity
install -D: symlink race in directory creation allows arbitrary file overwrite
Moderate
CVE-2026-35356
was published
for
uu_install
(Rust)
Jul 6, 2026
install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite
Moderate
CVE-2026-35355
was published
for
uu_install
(Rust)
Jul 6, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)
Moderate
CVE-2026-54242
was published
for
statamic/cms
(Composer)
Jun 26, 2026
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer
Moderate
GHSA-wvrh-2f4m-924v
was published
for
ChatterBot
(pip)
Jun 19, 2026
CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance
Moderate
CVE-2026-54777
was published
for
CoreWCF.NetNamedPipe
(NuGet)
Jun 19, 2026
Keycloak has a Time-of-check Time-of-use (TOCTOU) Race Condition
Moderate
CVE-2026-9796
was published
for
org.keycloak:keycloak-server
(Maven)
May 28, 2026
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Moderate
CVE-2026-41568
was published
for
github.com/docker/docker
(Go)
May 18, 2026
AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`
Moderate
CVE-2026-45619
was published
for
WWBN/AVideo
(Composer)
May 15, 2026
Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
Moderate
CVE-2026-42592
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
May 7, 2026
Duplicate Advisory: OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root
Moderate
GHSA-6f72-9gxx-98mj
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes
Moderate
GHSA-frr5-j3mh-h9ch
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding
Moderate
GHSA-w7rc-vvgx-pj45
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes
Moderate
CVE-2026-44113
was published
for
openclaw
(npm)
May 4, 2026
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root
Moderate
CVE-2026-44112
was published
for
openclaw
(npm)
May 4, 2026
Duplicate Advisory: OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection
Moderate
GHSA-cw28-63x4-37c3
was published
for
openclaw
(npm)
Apr 24, 2026
•
withdrawn
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
Moderate
CVE-2026-35376
was published
for
coreutils
(Rust)
Apr 22, 2026
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
Moderate
CVE-2026-35374
was published
for
coreutils
(Rust)
Apr 22, 2026
Duplicate Advisory: uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition
Moderate
GHSA-m26v-hjq3-x245
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
Duplicate Advisory: uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition
Moderate
GHSA-v24v-f45g-w7jf
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition
Moderate
CVE-2026-35354
was published
for
coreutils
(Rust)
Apr 22, 2026
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
Moderate
CVE-2026-35357
was published
for
coreutils
(Rust)
Apr 22, 2026
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
Moderate
CVE-2026-35364
was published
for
coreutils
(Rust)
Apr 22, 2026
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition
Moderate
CVE-2026-35360
was published
for
coreutils
(Rust)
Apr 22, 2026
Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured
Moderate
CVE-2026-22751
was published
for
org.springframework.security:spring-security-core
(Maven)
Apr 21, 2026
Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement
Moderate
CVE-2026-3590
was published
for
github.com/mattermost/mattermost-server
(Go)
Apr 17, 2026
ProTip!
Advisories are also available from the
GraphQL API