Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

143 advisories

Loading
Diffusers: TOCTOU Trust Remote Code Bypass High
CVE-2026-45804 was published for diffusers (pip) May 20, 2026
zafido Credited to zafido and gal-zafran gal-zafran gal-zafran
chdanielmueller Credited to chdanielmueller
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption High
CVE-2026-53517 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
chdanielmueller Credited to chdanielmueller
uucore: safe_traversal TOCTOU protection only enabled on Linux Low
CVE-2026-35362 was published for uucore (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition Low
GHSA-ggc5-46rg-mr4v was published for coreutils (Rust) Apr 22, 2026 withdrawn
mkdir: -m exposes directory with umask perms before chmod (race window) Low
CVE-2026-35353 was published for uu_mkdir (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition Low
GHSA-vf87-345h-9qhx was published for coreutils (Rust) Apr 22, 2026 withdrawn
install -D: symlink race in directory creation allows arbitrary file overwrite Moderate
CVE-2026-35356 was published for uu_install (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition Moderate
GHSA-m26v-hjq3-x245 was published for coreutils (Rust) Apr 22, 2026 withdrawn
install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite Moderate
CVE-2026-35355 was published for uu_install (Rust) Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition Moderate
GHSA-v24v-f45g-w7jf was published for coreutils (Rust) Apr 22, 2026 withdrawn
OpenClaw: Combined POSIX shell options could confuse exec revalidation High
CVE-2026-53806 was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Node pairing reconnection could confuse approval scope state High
GHSA-83w9-h5wv-j9xm was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
Keycloak has a Time-of-check Time-of-use (TOCTOU) Race Condition Moderate
CVE-2026-9796 was published for org.keycloak:keycloak-server (Maven) May 28, 2026
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding) Moderate
CVE-2026-54242 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy Low
CVE-2026-49262 was published for aimeos/pagible (Composer) Jun 26, 2026
PomPomSaturin Credited to PomPomSaturin
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation High
CVE-2026-54353 was published for @budibase/backend-core (npm) Jun 22, 2026
Artex09 Credited to Artex09
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer Moderate
GHSA-wvrh-2f4m-924v was published for ChatterBot (pip) Jun 19, 2026
AAtomical Credited to AAtomical
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag Critical
GHSA-wfqx-gjrf-g28r was published for github.com/crossplane/crossplane (Go) Jun 19, 2026
bugbunny-research Credited to bugbunny-research and tonghuaroot tonghuaroot tonghuaroot
CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance Moderate
CVE-2026-54777 was published for CoreWCF.NetNamedPipe (NuGet) Jun 19, 2026
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse Low
CVE-2026-6733 was published for undici (npm) Jun 19, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
Spring Cloud Config Server Susceptible To TOCTOU Attack High
CVE-2026-41002 was published for org.springframework.cloud:spring-cloud-config-server (Maven) May 7, 2026
scottfrederick Credited to scottfrederick
PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding High
GHSA-rjvw-7vvw-549v was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials Low
CVE-2026-54327 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
urianpaul94 Credited to urianpaul94
Docker: Race condition in docker cp allows bind mount redirection to host path High
CVE-2026-42306 was published for github.com/docker/docker (Go) May 18, 2026
vvoland Credited to vvoland
ProTip! Advisories are also available from the GraphQL API