Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

367 advisories

Loading
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass) High
CVE-2026-49286 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
AArnott Credited to AArnott
amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads() High
CVE-2026-9291 was published for amazon-braket-sdk (pip) Jun 25, 2026
OpenAM has Unsafe Java Deserialization via SNS High
CVE-2026-45794 was published for org.openidentityplatform.openam:openam-push-notification (Maven) Jun 25, 2026
wodzen Credited to wodzen
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
sectroyer Credited to sectroyer
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types High
CVE-2026-44795 was published for io.spinnaker.orca:orca-core (Maven) Jun 22, 2026
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files High
GHSA-rpj2-4hq8-938g was published for vcrpy (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders High
CVE-2026-54499 was published for stanza (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection High
CVE-2025-27511 was published for org.geoserver.extension:gs-db2 (Maven) Jun 11, 2026
H4cking2theGate Credited to H4cking2theGate, jodygarnett, and aaime jodygarnett jodygarnett
aaime aaime
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization High
CVE-2026-41731 was published for org.springframework.kafka:spring-kafka (Maven) Jun 10, 2026
oscerd Credited to oscerd
SM41ldRag0n Credited to SM41ldRag0n
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener High
CVE-2026-45077 was published for symfony/monolog-bridge (Composer) May 27, 2026
snoopysecurity Credited to snoopysecurity, nicolas-grekas, and a-tt-om nicolas-grekas nicolas-grekas
a-tt-om a-tt-om
Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction High
CVE-2026-45162 was published for pimcore/pimcore (Composer) May 27, 2026
tikket1 Credited to tikket1
HuggingFace transformers vulnerable to remote code execution High
CVE-2026-4372 was published for transformers (pip) May 26, 2026
aaronmaxlevy Credited to aaronmaxlevy
Concrete CMS Vulnerable to Deserialization of Untrusted Data High
CVE-2026-8135 was published for concrete5/concrete5 (Composer) May 21, 2026
TYPO3 Remote Code Execution in extension "Site Crawler" (crawler) High
CVE-2026-8727 was published for tomasnorre/crawler (Composer) May 19, 2026
eliashaeussler Credited to eliashaeussler
Graphite Has a Pickle Deserialization Vulnerability High
GHSA-qw48-84f6-28gv was published for graphitedb (pip) May 18, 2026
mkh-user Credited to mkh-user
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning High
CVE-2026-45134 was published for langchain (npm) May 13, 2026
Moaaz-0x Credited to Moaaz-0x and berardinellidaniele berardinellidaniele berardinellidaniele
Snorkel BaseLabeler.load uses an unsafe pickle.load High
CVE-2026-31223 was published for snorkel (pip) May 12, 2026
PyTorch Lightning load_from_checkpoint has an insecure checkpoint deserialization High
CVE-2026-31221 was published for pytorch-lightning (pip) May 12, 2026
Snorkel Trainer.load uses an unsafe torch.load High
CVE-2026-31222 was published for snorkel (pip) May 12, 2026
Snorkel MultitaskClassifier.load uses an unsafe torch.load High
CVE-2026-31224 was published for snorkel (pip) May 12, 2026
pgAdmin 4 has deserialization of untrusted data in its FileBackedSessionManager High
CVE-2026-7818 was published for pgadmin4 (pip) May 11, 2026
warsang Credited to warsang
ProTip! Advisories are also available from the GraphQL API