GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
367 advisories
Filter by severity
HuggingFace transformers vulnerable to remote code execution
High
CVE-2026-4372
was published
for
transformers
(pip)
May 26, 2026
flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism
High
CVE-2026-31253
was published
for
flash_attn
(pip)
May 11, 2026
TYPO3 Remote Code Execution in extension "Site Crawler" (crawler)
High
CVE-2026-8727
was published
for
tomasnorre/crawler
(Composer)
May 19, 2026
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
High
CVE-2026-49286
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
High
CVE-2026-48502
was published
for
MessagePack
(NuGet)
Jun 25, 2026
amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads()
High
CVE-2026-9291
was published
for
amazon-braket-sdk
(pip)
Jun 25, 2026
OpenAM has Unsafe Java Deserialization via SNS
High
CVE-2026-45794
was published
for
org.openidentityplatform.openam:openam-push-notification
(Maven)
Jun 25, 2026
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
High
CVE-2026-54512
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
Concrete CMS Vulnerable to Deserialization of Untrusted Data
High
CVE-2026-8135
was published
for
concrete5/concrete5
(Composer)
May 21, 2026
Glances has Insecure Pickle Deserialization in its Version Cache that Leads to Arbitrary Code Execution
High
CVE-2026-46607
was published
for
glances
(pip)
Jun 22, 2026
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types
High
CVE-2026-44795
was published
for
io.spinnaker.orca:orca-core
(Maven)
Jun 22, 2026
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files
High
GHSA-rpj2-4hq8-938g
was published
for
vcrpy
(pip)
Jun 19, 2026
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders
High
CVE-2026-54499
was published
for
stanza
(pip)
Jun 19, 2026
Picklescan vulnerable to Arbitrary File Writing
High
CVE-2025-71321
was published
for
picklescan
(pip)
Dec 29, 2025
picklescan missing detection by simple obfuscation of a `builtins.eval` call
High
CVE-2026-53874
was published
for
picklescan
(pip)
Feb 2, 2026
Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass
High
CVE-2025-71325
was published
for
picklescan
(pip)
Aug 12, 2025
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
High
CVE-2026-41731
was published
for
org.springframework.kafka:spring-kafka
(Maven)
Jun 10, 2026
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
High
CVE-2025-27511
was published
for
org.geoserver.extension:gs-db2
(Maven)
Jun 11, 2026
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
High
CVE-2026-45134
was published
for
langchain
(npm)
May 13, 2026
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists
High
CVE-2026-44843
was published
for
langchain-core
(pip)
May 8, 2026
Deserialization of Untrusted Data in Gson
High
CVE-2022-25647
was published
for
com.google.code.gson:gson
(Maven)
May 3, 2022
MONAI: Unsafe torch usage may lead to arbitrary code execution
High
CVE-2025-58756
was published
for
monai
(pip)
Sep 9, 2025
Monai: Unsafe use of Pickle deserialization may lead to RCE
High
CVE-2025-58757
was published
for
monai
(pip)
Sep 9, 2025
Fickling has Code Injection vulnerability via pty.spawn()
High
CVE-2025-67748
was published
for
fickling
(pip)
Dec 15, 2025
Apache Airflow allows code execution through crafted XCom payloads
High
CVE-2026-25917
was published
for
apache-airflow-core
(pip)
Apr 18, 2026
ProTip!
Advisories are also available from the
GraphQL API