GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
804 advisories
Filter by severity
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
High
CVE-2026-49286
was published
for
pontedilana/php-weasyprint
(Composer)
Jun 26, 2026
golang.org/x/crypto/ssh/agent doesn't drop invoking agent constraints when forwarding keys
Critical
CVE-2026-39832
was published
for
golang.org/x/crypto/ssh/agent
(Go)
Jun 25, 2026
MessagePack-CSharp: Typeless deserialization type restrictions do not recurse into arrays or generic arguments
Moderate
CVE-2026-48517
was published
for
MessagePack
(NuGet)
Jun 25, 2026
MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
High
CVE-2026-48502
was published
for
MessagePack
(NuGet)
Jun 25, 2026
amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads()
High
CVE-2026-9291
was published
for
amazon-braket-sdk
(pip)
Jun 25, 2026
LangGraph Checkpoint: Unsafe JSON deserialization in checkpoint loading
Moderate
CVE-2026-48775
was published
for
langgraph-checkpoint
(pip)
Jun 25, 2026
OpenAM has Unsafe Java Deserialization via SNS
High
CVE-2026-45794
was published
for
org.openidentityplatform.openam:openam-push-notification
(Maven)
Jun 25, 2026
OpenAM: Pre-auth RCE via Java Deserialization in WebAuthn Authenticator Storage
Critical
CVE-2026-45051
was published
for
org.openidentityplatform.openam:openam-auth-webauthn
(Maven)
Jun 24, 2026
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
High
CVE-2026-54512
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
Glances has Insecure Pickle Deserialization in its Version Cache that Leads to Arbitrary Code Execution
High
CVE-2026-46607
was published
for
glances
(pip)
Jun 22, 2026
OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI
Critical
CVE-2026-46495
was published
for
org.openidentityplatform.opendj:opendj-server-legacy
(Maven)
Jun 22, 2026
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types
High
CVE-2026-44795
was published
for
io.spinnaker.orca:orca-core
(Maven)
Jun 22, 2026
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files
High
GHSA-rpj2-4hq8-938g
was published
for
vcrpy
(pip)
Jun 19, 2026
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders
High
CVE-2026-54499
was published
for
stanza
(pip)
Jun 19, 2026
Duplicate Advisory: picklescan missing detection by simple obfuscation of a `builtins.eval` call
Critical
GHSA-j6c9-qvp8-699f
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
Duplicate Advisory: Picklescan vulnerable to Arbitrary File Writing
Critical
GHSA-rmpp-8wf5-xx5q
was published
for
picklescan
(pip)
Jun 17, 2026
•
withdrawn
TYPO3 CMS has Insecure Deserialization via Core API
Moderate
CVE-2026-49740
was published
for
typo3/cms-core
(Composer)
Jun 12, 2026
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
High
CVE-2025-27511
was published
for
org.geoserver.extension:gs-db2
(Maven)
Jun 11, 2026
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
High
CVE-2026-41731
was published
for
org.springframework.kafka:spring-kafka
(Maven)
Jun 10, 2026
PHPSpreadsheet has a patch bypass for CVE-2026-34084
Critical
CVE-2026-45034
was published
for
phpoffice/phpspreadsheet
(Composer)
Jun 8, 2026
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
High
CVE-2026-42211
was published
for
react-router
(npm)
Jun 3, 2026
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
Moderate
CVE-2026-34993
was published
for
aiohttp
(pip)
Jun 3, 2026
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
High
CVE-2026-45077
was published
for
symfony/monolog-bridge
(Composer)
May 27, 2026
Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
High
CVE-2026-45162
was published
for
pimcore/pimcore
(Composer)
May 27, 2026
Jenkins LDAP Plugin deserializes data from LDAP referrals without validation
Moderate
CVE-2026-48917
was published
for
org.jenkins-ci.plugins:ldap
(Maven)
May 27, 2026
ProTip!
Advisories are also available from the
GraphQL API