GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
570 advisories
Filter by severity
Windmill: Resource-scoped API tokens can read script contents outside their allowed path via scripts/list_search
Moderate
CVE-2026-54136
was published
for
windmill-api
(Rust)
Jul 10, 2026
Rattler vulnerable to package cache path traversal via conda package build string
Moderate
CVE-2026-53956
was published
for
py_rattler
(pip)
Jul 9, 2026
OneRingBuf has a Use After Free Vulnerability
Moderate
GHSA-q95x-7g78-rccv
was published
for
oneringbuf
(Rust)
Jul 8, 2026
async-tar PAX extension-header desync enables tar entry/content smuggling
Moderate
CVE-2026-53600
was published
for
async-tar
(Rust)
Jul 8, 2026
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort)
Moderate
CVE-2026-53531
was published
for
ratex-parser
(Rust)
Jul 7, 2026
printenv: environment variables with invalid UTF-8 are silently skipped (evades inspection)
Moderate
CVE-2026-35366
was published
for
uu_printenv
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has an Improper Check for Unusual or Exceptional Conditions
Moderate
GHSA-7259-cwhx-3xx3
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
mv: symlinks expanded during cross-device move (resource exhaustion / data duplication)
Moderate
CVE-2026-35365
was published
for
uu_mv
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Link Following issue
Moderate
GHSA-66fx-fqv6-5wwx
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
cp: -R reads device nodes as streams, destroying device semantics
Moderate
CVE-2026-35358
was published
for
uu_cp
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils Uses Incorrectly-Resolved Name or Reference
Moderate
GHSA-67hp-f6hq-2h6g
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
rm: 'rm -rf ./' (and ./// variants) silently deletes current directory contents, bypassing dot protection
Moderate
CVE-2026-35363
was published
for
uu_rm
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Path Traversal issue
Moderate
GHSA-vchc-9ggh-3236
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
comm: FIFO/pipe inputs are drained before comparison (data loss / hang)
Moderate
CVE-2026-35347
was published
for
uu_comm
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils' comm utility incorrectly consumes data from non-regular file inputs before performing comparison operations
Moderate
GHSA-rx8h-33gr-vhj9
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
id: groups= computed from real GID instead of effective GID
Moderate
CVE-2026-35370
was published
for
uu_id
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has an Incorrect Authorization issue
Moderate
GHSA-q94g-3gcf-66x7
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
rm: --preserve-root bypassed via a symlink to / (string check instead of dev/inode)
Moderate
CVE-2026-35349
was published
for
uu_rm
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Link Following Issue Via rm Utility
Moderate
GHSA-v762-x3cf-5mfg
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
kill: 'kill -1' parsed as PID -1, sending SIGTERM to all processes (system crash / DoS)
Moderate
CVE-2026-35369
was published
for
uu_kill
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has an Improper Input Validation issue
Moderate
GHSA-gpcg-h6x2-c26p
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
install -D: symlink race in directory creation allows arbitrary file overwrite
Moderate
CVE-2026-35356
was published
for
uu_install
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition
Moderate
GHSA-m26v-hjq3-x245
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite
Moderate
CVE-2026-35355
was published
for
uu_install
(Rust)
Jul 6, 2026
Duplicate Advisory: uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition
Moderate
GHSA-v24v-f45g-w7jf
was published
for
coreutils
(Rust)
Apr 22, 2026
•
withdrawn
ProTip!
Advisories are also available from the
GraphQL API