GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
11 advisories
uv has differential in tar extraction with PAX headers
Low
GHSA-w476-p2h3-79g9
was published
for
uv
(pip)
Oct 21, 2025
astral-tokio-tar Vulnerable to PAX Header Desynchronization
High
CVE-2025-62518
was published
for
astral-tokio-tar
(Rust)
Oct 21, 2025
astral-tokio-tar has a path traversal in tar extraction
Moderate
CVE-2025-59825
was published
for
astral-tokio-tar
(Rust)
Sep 23, 2025
PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps
Low
GHSA-vxmw-7h4f-hqxh
was published
for
pypa/gh-action-pypi-publish
(GitHub Actions)
Sep 4, 2025
uv allows ZIP payload obfuscation through parsing differentials
Moderate
CVE-2025-54368
was published
for
uv
(pip)
Aug 7, 2025
rfc3161-client has insufficient verification for timestamp response signatures
Critical
CVE-2025-52556
was published
for
rfc3161-client
(pip)
Jun 20, 2025
pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution
High
CVE-2024-56327
was published
for
pyrage
(pip)
Dec 19, 2024
sigstore has insufficient validation of integration timestamp during verification
Low
CVE-2024-55655
was published
for
sigstore
(pip)
Dec 11, 2024
Artifact poisoning vulnerability in action-download-artifact v5 and earlier
High
GHSA-5xr6-xhww-33m4
was published
for
dawidd6/action-download-artifact
(GitHub Actions)
Nov 25, 2024
Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`
Low
CVE-2024-52587
was published
for
step-security/harden-runner
(GitHub Actions)
Nov 18, 2024
markdown2 is vulnerable to cross-site scripting
Moderate
CVE-2018-5773
was published
for
markdown2
(pip)
Jul 12, 2018
ProTip!
Advisories are also available from the
GraphQL API