Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,679 advisories

Loading
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass) High
CVE-2026-49286 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization... High Unreviewed
CVE-2026-57527 was published Jun 26, 2026
Subscriber PHP Object Injection in Buddyboss Platform <= 3.0.4 versions. Critical Unreviewed
CVE-2026-56032 was published Jun 26, 2026
Unauthenticated PHP Object Injection in Uncanny Automator <= 7.3.1.2 versions. High Unreviewed
CVE-2026-56031 was published Jun 26, 2026
Subscriber PHP Object Injection in Uncanny Automator Pro <= 7.3.0.6 versions. Critical Unreviewed
CVE-2026-56057 was published Jun 26, 2026
Subscriber PHP Object Injection in RealHomes <= 4.5.3 versions. High Unreviewed
CVE-2026-56055 was published Jun 26, 2026
In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the... Moderate Unreviewed
CVE-2026-53914 was published Jun 26, 2026
picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell... High Unreviewed
CVE-2025-71340 was published Jun 26, 2026
golang.org/x/crypto/ssh/agent doesn't drop invoking agent constraints when forwarding keys Critical
CVE-2026-39832 was published for golang.org/x/crypto/ssh/agent (Go) Jun 25, 2026
MessagePack-CSharp: Typeless deserialization type restrictions do not recurse into arrays or generic arguments Moderate
CVE-2026-48517 was published for MessagePack (NuGet) Jun 25, 2026
AArnott Credited to AArnott
MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows High
CVE-2026-48502 was published for MessagePack (NuGet) Jun 25, 2026
AArnott Credited to AArnott
amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads() High
CVE-2026-9291 was published for amazon-braket-sdk (pip) Jun 25, 2026
LangGraph Checkpoint: Unsafe JSON deserialization in checkpoint loading Moderate
CVE-2026-48775 was published for langgraph-checkpoint (pip) Jun 25, 2026
pucagit Credited to pucagit
OpenAM has Unsafe Java Deserialization via SNS High
CVE-2026-45794 was published for org.openidentityplatform.openam:openam-push-notification (Maven) Jun 25, 2026
wodzen Credited to wodzen
Subscriber PHP Object Injection in EventPrime <= 4.3.4.1 versions. High Unreviewed
CVE-2026-56053 was published Jun 25, 2026
MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability. This... High Unreviewed
CVE-2026-10043 was published Jun 25, 2026
Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated... Critical Unreviewed
CVE-2026-56121 was published Jun 24, 2026
OpenAM: Pre-auth RCE via Java Deserialization in WebAuthn Authenticator Storage Critical
CVE-2026-45051 was published for org.openidentityplatform.openam:openam-auth-webauthn (Maven) Jun 24, 2026
wodzen Credited to wodzen
Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper)... High Unreviewed
CVE-2026-41862 was published Jun 23, 2026
An issue in Pivotal CRM v.6.6.04.08 allows a remote attacker to execute arbitrary code via the... High Unreviewed
CVE-2026-39253 was published Jun 23, 2026
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
picklescan before 0.0.29 fails to detect the profile.Profile.runctx function when analyzing... High Unreviewed
CVE-2025-71341 was published Jun 23, 2026
picklescan before 0.0.33 fails to detect malicious pickle files that invoke numpy.f2py... High Unreviewed
CVE-2025-71365 was published Jun 23, 2026
picklescan before 0.0.29 fails to detect malicious pickle files using idlelib.autocomplete... High Unreviewed
CVE-2025-71376 was published Jun 23, 2026
picklescan before 0.0.28 fails to detect malicious torch.jit.unsupported_tensor_ops.execWrapper... High Unreviewed
CVE-2025-71370 was published Jun 23, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database