Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,284 advisories

Loading
BuildKit Git URL subdir component can cause access to restricted files High
CVE-2026-33748 was published for github.com/moby/buildkit (Go) Mar 26, 2026
This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 18.7.7... Moderate Unreviewed
CVE-2026-28866 was published Mar 25, 2026
This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 26.3 and... Moderate Unreviewed
CVE-2026-20694 was published Mar 25, 2026
This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia... Moderate Unreviewed
CVE-2026-20633 was published Mar 25, 2026
Duplicate Advisory: OpenClaw has browser trace/download path symlink escape in temp output handling Moderate
GHSA-ffr4-mrhv-vfr2 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace Moderate
GHSA-2cwr-f5hx-gg3w was published for openclaw (npm) Mar 19, 2026 withdrawn
Jenkins has a link following vulnerability allows arbitrary file creation High
CVE-2026-33001 was published for org.jenkins-ci.main:jenkins-core (Maven) Mar 18, 2026
bboe Credited to bboe
Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing) High
GHSA-8mpm-q7mh-8fvh was published for @capgo/cli (npm) Mar 18, 2026
Judel777 Credited to Judel777
OpenClaw: Sandbox staged writes could escape the verified parent directory before commit High
GHSA-mj4p-rc52-m843 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary High
GHSA-qcc4-p59m-p54m was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf High
GHSA-mgrq-9f93-wpp5 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication Moderate
CVE-2026-2808 was published for github.com/hashicorp/consul (Go) Mar 12, 2026
ImageMagick has a Path Policy TOCTOU symlink race bypass Moderate
CVE-2026-28689 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 10, 2026
andsopwn Credited to andsopwn
Improper link resolution before file access ('link following') in Winlogon allows an authorized... High Unreviewed
CVE-2026-25187 was published Mar 10, 2026
Avira Internet Security contains an improper link resolution vulnerability in the Software... High Unreviewed
CVE-2026-27748 was published Mar 5, 2026
tar has Hardlink Path Traversal via Drive-Relative Linkpath High
CVE-2026-29786 was published for tar (npm) Mar 5, 2026
Jvr2022 Credited to Jvr2022
OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations High
GHSA-3jx4-q2m7-r496 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw has agent avatar symlink traversal in gateway session metadata Moderate
GHSA-9mph-4f7v-fmvh was published for openclaw (npm) Mar 4, 2026
OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths High
CVE-2026-27523 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Zip extraction symlink traversal could write outside destination High
GHSA-jxrq-8fm4-9p58 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot High
GHSA-xmv6-r34m-62p4 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Dell Optimizer, versions prior to 6.3.1, contain an Improper Link Resolution Before File Access (... High Unreviewed
CVE-2026-25906 was published Mar 3, 2026
OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind High
CVE-2026-28483 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows Moderate
CVE-2026-22180 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace High
CVE-2026-31990 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database