Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

343 advisories

Loading
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning High
CVE-2026-45134 was published for langchain (npm) May 13, 2026
Moaaz-0x Credited to Moaaz-0x and berardinellidaniele berardinellidaniele berardinellidaniele
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists High
CVE-2026-44843 was published for langchain-core (pip) May 8, 2026
u-ktdi Credited to u-ktdi, dewankpant, shrutilohani, Moaaz-0x, yardenporat353, pucagit, nick-hollon-lc, and localhost-detect dewankpant dewankpant
shrutilohani shrutilohani Moaaz-0x Moaaz-0x yardenporat353 yardenporat353 pucagit pucagit nick-hollon-lc nick-hollon-lc localhost-detect localhost-detect
Apache Camel-Infinispan Component Vulnerable to Deserialization of Untrusted Data High
CVE-2026-40858 was published for org.apache.camel:camel-infinispan (Maven) Apr 27, 2026
Camel-MINA Vulnerable to Deserialization of Untrusted Data High
CVE-2026-40473 was published for org.apache.camel:camel-mina (Maven) Apr 27, 2026
Camel-PQC Vulnerable to Deserialization of Untrusted Data High
CVE-2026-40048 was published for org.apache.camel:camel-pqc (Maven) Apr 27, 2026
k8sGPT has Prompt Injection through its k8sGPT-Operator High
GHSA-rp7v-4384-hfrp was published for github.com/k8sgpt-ai/k8sgpt (Go) Apr 24, 2026
haruki3hhh Credited to haruki3hhh
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization High
CVE-2026-41486 was published for ray (pip) Apr 24, 2026
shakevsky Credited to shakevsky
camel-infinispan Vulnerable to Deserialization of Untrusted Data High
CVE-2026-6857 was published for org.apache.camel:camel-infinispan (Maven) Apr 22, 2026
OpenMage LTS: Phar Deserialization leads to Remote Code Execution High
CVE-2026-25524 was published for openmage/magento-lts (Composer) Apr 21, 2026
Apache Airflow allows code execution through crafted XCom payloads High
CVE-2026-25917 was published for apache-airflow-core (pip) Apr 18, 2026
Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API High
CVE-2026-33858 was published for apache-airflow (pip) Apr 13, 2026
Keras has an untrusted deserialization vulnerability High
CVE-2026-1462 was published for keras (pip) Apr 13, 2026
Apache Storm: Deserialization of Untrusted Data vulnerability High
CVE-2026-35337 was published for org.apache.storm:storm-client (Maven) Apr 13, 2026
React Server Components have a Denial of Service Vulnerability High
CVE-2026-23869 was published for react-server-dom-parcel (npm) Apr 10, 2026
MONAI: Unsafe functions lead to pickle deserialization rce High
GHSA-89gg-p5r5-q6r4 was published for monai (pip) Apr 7, 2026
hnking-star Credited to hnking-star
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) High
CVE-2026-35464 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2 High
CVE-2026-29782 was published for devcode-it/openstamanager (Composer) Apr 1, 2026
ormzro Credited to ormzro
Saloon has insecure deserialization in AccessTokenAuthenticator High
CVE-2026-33942 was published for saloonphp/saloon (Composer) Mar 27, 2026
JonPurvis Credited to JonPurvis, Sammyjo20, and HuajiHD Sammyjo20 Sammyjo20
HuajiHD HuajiHD
NVIDIA NeMo Framework contains a vulnerability leading to Remote Code Execution High
CVE-2026-24159 was published for nemo-toolkit (pip) Mar 24, 2026
NVIDIA NeMo Framework contains an RCE vulnerability in checkpoint loading High
CVE-2026-24157 was published for nemo-toolkit (pip) Mar 24, 2026
Apache Spark: Spark History Server Code Execution Vulnerability High
CVE-2025-54920 was published for org.apache.spark:spark-core_2.10 (Maven) Mar 16, 2026
SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization High
CVE-2026-3989 was published for sglang (pip) Mar 12, 2026
Concrete CMS vulnerable to Remote Code Execution by stored PHP object injection High
CVE-2026-3452 was published for concrete5/concrete5 (Composer) Mar 4, 2026
c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property High
CVE-2026-27830 was published for com.mchange:c3p0 (Maven) Feb 25, 2026
dpp Credited to dpp
mchange-commons-java: Remote Code Execution via JNDI Reference Resolution High
CVE-2026-27727 was published for com.mchange:mchange-commons-java (Maven) Feb 25, 2026
dpp Credited to dpp
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database