Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,492 advisories

Loading
`exploration` was removed from crates.io for malicious code Critical
GHSA-99j7-fhr2-xfj4 was published for exploration (Rust) Jul 10, 2026
Lechu69 Credited to Lechu69
Rattler vulnerable to package cache path traversal via conda package build string Moderate
CVE-2026-53956 was published for py_rattler (pip) Jul 9, 2026
OneRingBuf has a Use After Free Vulnerability Moderate
GHSA-q95x-7g78-rccv was published for oneringbuf (Rust) Jul 8, 2026
async-tar PAX extension-header desync enables tar entry/content smuggling Moderate
CVE-2026-53600 was published for async-tar (Rust) Jul 8, 2026
tonghuaroot Credited to tonghuaroot
rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path Low
GHSA-cwv4-h3j5-w3cf was published for rama (Rust) Jul 7, 2026
chaitanyagarware Credited to chaitanyagarware
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort) Moderate
CVE-2026-53531 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice) High
CVE-2026-53530 was published for ratex-parser (Rust) Jul 7, 2026
nikkoenggaliano Credited to nikkoenggaliano
cut: -s ignored in -z -d '' newline-delimiter mode Low
CVE-2026-35381 was published for uu_cut (Rust) Jul 6, 2026
mknod: Device nodes created mislabeled on SELinux, with broken cleanup (remove_dir on a node) Low
CVE-2026-35361 was published for uu_mknod (Rust) Jul 6, 2026
mkfifo: permissions of an existing file are changed after FIFO creation fails High
CVE-2026-35341 was published for uu_mkfifo (Rust) Jul 6, 2026
defuse Credited to defuse, nuttycom, daira, conradoplg, mpguerra, and alchemydc nuttycom nuttycom
daira daira conradoplg conradoplg mpguerra mpguerra alchemydc alchemydc
printenv: environment variables with invalid UTF-8 are silently skipped (evades inspection) Moderate
CVE-2026-35366 was published for uu_printenv (Rust) Jul 6, 2026
uucore: safe_traversal TOCTOU protection only enabled on Linux Low
CVE-2026-35362 was published for uucore (Rust) Jul 6, 2026
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication) Moderate
CVE-2026-35365 was published for uu_mv (Rust) Jul 6, 2026
cp: -R reads device nodes as streams, destroying device semantics Moderate
CVE-2026-35358 was published for uu_cp (Rust) Jul 6, 2026
comm: FIFO/pipe inputs are drained before comparison (data loss / hang) Moderate
CVE-2026-35347 was published for uu_comm (Rust) Jul 6, 2026
id: groups= computed from real GID instead of effective GID Moderate
CVE-2026-35370 was published for uu_id (Rust) Jul 6, 2026
mkdir: -m exposes directory with umask perms before chmod (race window) Low
CVE-2026-35353 was published for uu_mkdir (Rust) Jul 6, 2026
rm: --preserve-root bypassed via a symlink to / (string check instead of dev/inode) Moderate
CVE-2026-35349 was published for uu_rm (Rust) Jul 6, 2026
id: pretty-print uses effective GID instead of effective UID for name lookup Low
CVE-2026-35371 was published for uu_id (Rust) Jul 6, 2026
kill: 'kill -1' parsed as PID -1, sending SIGTERM to all processes (system crash / DoS) Moderate
CVE-2026-35369 was published for uu_kill (Rust) Jul 6, 2026
install -D: symlink race in directory creation allows arbitrary file overwrite Moderate
CVE-2026-35356 was published for uu_install (Rust) Jul 6, 2026
ProTip! Advisories are also available from the GraphQL API