GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
367 advisories
Filter by severity
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
High
CVE-2026-49286
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
High
CVE-2026-48502
was published
for
MessagePack
(NuGet)
Jun 25, 2026
amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads()
High
CVE-2026-9291
was published
for
amazon-braket-sdk
(pip)
Jun 25, 2026
OpenAM has Unsafe Java Deserialization via SNS
High
CVE-2026-45794
was published
for
org.openidentityplatform.openam:openam-push-notification
(Maven)
Jun 25, 2026
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
High
CVE-2026-54512
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
Glances has Insecure Pickle Deserialization in its Version Cache that Leads to Arbitrary Code Execution
High
CVE-2026-46607
was published
for
glances
(pip)
Jun 22, 2026
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types
High
CVE-2026-44795
was published
for
io.spinnaker.orca:orca-core
(Maven)
Jun 22, 2026
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files
High
GHSA-rpj2-4hq8-938g
was published
for
vcrpy
(pip)
Jun 19, 2026
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders
High
CVE-2026-54499
was published
for
stanza
(pip)
Jun 19, 2026
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
High
CVE-2025-27511
was published
for
org.geoserver.extension:gs-db2
(Maven)
Jun 11, 2026
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
High
CVE-2026-41731
was published
for
org.springframework.kafka:spring-kafka
(Maven)
Jun 10, 2026
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
High
CVE-2026-42211
was published
for
react-router
(npm)
Jun 3, 2026
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
High
CVE-2026-45077
was published
for
symfony/monolog-bridge
(Composer)
May 27, 2026
Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
High
CVE-2026-45162
was published
for
pimcore/pimcore
(Composer)
May 27, 2026
HuggingFace transformers vulnerable to remote code execution
High
CVE-2026-4372
was published
for
transformers
(pip)
May 26, 2026
Concrete CMS Vulnerable to Deserialization of Untrusted Data
High
CVE-2026-8135
was published
for
concrete5/concrete5
(Composer)
May 21, 2026
TYPO3 Remote Code Execution in extension "Site Crawler" (crawler)
High
CVE-2026-8727
was published
for
tomasnorre/crawler
(Composer)
May 19, 2026
Graphite Has a Pickle Deserialization Vulnerability
High
GHSA-qw48-84f6-28gv
was published
for
graphitedb
(pip)
May 18, 2026
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
High
CVE-2026-45134
was published
for
langchain
(npm)
May 13, 2026
Snorkel BaseLabeler.load uses an unsafe pickle.load
High
CVE-2026-31223
was published
for
snorkel
(pip)
May 12, 2026
PyTorch Lightning load_from_checkpoint has an insecure checkpoint deserialization
High
CVE-2026-31221
was published
for
pytorch-lightning
(pip)
May 12, 2026
Snorkel Trainer.load uses an unsafe torch.load
High
CVE-2026-31222
was published
for
snorkel
(pip)
May 12, 2026
Snorkel MultitaskClassifier.load uses an unsafe torch.load
High
CVE-2026-31224
was published
for
snorkel
(pip)
May 12, 2026
pgAdmin 4 has deserialization of untrusted data in its FileBackedSessionManager
High
CVE-2026-7818
was published
for
pgadmin4
(pip)
May 11, 2026
flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism
High
CVE-2026-31253
was published
for
flash_attn
(pip)
May 11, 2026
ProTip!
Advisories are also available from the
GraphQL API