Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

367 advisories

Loading
HuggingFace transformers vulnerable to remote code execution High
CVE-2026-4372 was published for transformers (pip) May 26, 2026
aaronmaxlevy Credited to aaronmaxlevy
warsang Credited to warsang
TYPO3 Remote Code Execution in extension "Site Crawler" (crawler) High
CVE-2026-8727 was published for tomasnorre/crawler (Composer) May 19, 2026
eliashaeussler Credited to eliashaeussler
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass) High
CVE-2026-49286 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
AArnott Credited to AArnott
amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads() High
CVE-2026-9291 was published for amazon-braket-sdk (pip) Jun 25, 2026
OpenAM has Unsafe Java Deserialization via SNS High
CVE-2026-45794 was published for org.openidentityplatform.openam:openam-push-notification (Maven) Jun 25, 2026
wodzen Credited to wodzen
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
Concrete CMS Vulnerable to Deserialization of Untrusted Data High
CVE-2026-8135 was published for concrete5/concrete5 (Composer) May 21, 2026
sectroyer Credited to sectroyer
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types High
CVE-2026-44795 was published for io.spinnaker.orca:orca-core (Maven) Jun 22, 2026
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files High
GHSA-rpj2-4hq8-938g was published for vcrpy (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders High
CVE-2026-54499 was published for stanza (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai
Picklescan vulnerable to Arbitrary File Writing High
CVE-2025-71321 was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
picklescan missing detection by simple obfuscation of a `builtins.eval` call High
CVE-2026-53874 was published for picklescan (pip) Feb 2, 2026
ogrisel Credited to ogrisel
Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass High
CVE-2025-71325 was published for picklescan (pip) Aug 12, 2025
Lyutoon Credited to Lyutoon
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization High
CVE-2026-41731 was published for org.springframework.kafka:spring-kafka (Maven) Jun 10, 2026
oscerd Credited to oscerd
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection High
CVE-2025-27511 was published for org.geoserver.extension:gs-db2 (Maven) Jun 11, 2026
H4cking2theGate Credited to H4cking2theGate, jodygarnett, and aaime jodygarnett jodygarnett
aaime aaime
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning High
CVE-2026-45134 was published for langchain (npm) May 13, 2026
Moaaz-0x Credited to Moaaz-0x and berardinellidaniele berardinellidaniele berardinellidaniele
u-ktdi Credited to u-ktdi, dewankpant, shrutilohani, Moaaz-0x, yardenporat353, pucagit, nick-hollon-lc, and localhost-detect dewankpant dewankpant
shrutilohani shrutilohani Moaaz-0x Moaaz-0x yardenporat353 yardenporat353 pucagit pucagit nick-hollon-lc nick-hollon-lc localhost-detect localhost-detect
Deserialization of Untrusted Data in Gson High
CVE-2022-25647 was published for com.google.code.gson:gson (Maven) May 3, 2022
MONAI: Unsafe torch usage may lead to arbitrary code execution High
CVE-2025-58756 was published for monai (pip) Sep 9, 2025
h3rrr Credited to h3rrr
Monai: Unsafe use of Pickle deserialization may lead to RCE High
CVE-2025-58757 was published for monai (pip) Sep 9, 2025
h3rrr Credited to h3rrr
Fickling has Code Injection vulnerability via pty.spawn() High
CVE-2025-67748 was published for fickling (pip) Dec 15, 2025
ajohnston9 Credited to ajohnston9 and 0x00nier 0x00nier 0x00nier
Apache Airflow allows code execution through crafted XCom payloads High
CVE-2026-25917 was published for apache-airflow-core (pip) Apr 18, 2026
ProTip! Advisories are also available from the GraphQL API