Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

804 advisories

Loading
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass) High
CVE-2026-49286 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
golang.org/x/crypto/ssh/agent doesn't drop invoking agent constraints when forwarding keys Critical
CVE-2026-39832 was published for golang.org/x/crypto/ssh/agent (Go) Jun 25, 2026
MessagePack-CSharp: Typeless deserialization type restrictions do not recurse into arrays or generic arguments Moderate
CVE-2026-48517 was published for MessagePack (NuGet) Jun 25, 2026
AArnott Credited to AArnott
AArnott Credited to AArnott
amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads() High
CVE-2026-9291 was published for amazon-braket-sdk (pip) Jun 25, 2026
LangGraph Checkpoint: Unsafe JSON deserialization in checkpoint loading Moderate
CVE-2026-48775 was published for langgraph-checkpoint (pip) Jun 25, 2026
pucagit Credited to pucagit
OpenAM has Unsafe Java Deserialization via SNS High
CVE-2026-45794 was published for org.openidentityplatform.openam:openam-push-notification (Maven) Jun 25, 2026
wodzen Credited to wodzen
OpenAM: Pre-auth RCE via Java Deserialization in WebAuthn Authenticator Storage Critical
CVE-2026-45051 was published for org.openidentityplatform.openam:openam-auth-webauthn (Maven) Jun 24, 2026
wodzen Credited to wodzen
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
sectroyer Credited to sectroyer
OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI Critical
CVE-2026-46495 was published for org.openidentityplatform.opendj:opendj-server-legacy (Maven) Jun 22, 2026
wodzen Credited to wodzen
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types High
CVE-2026-44795 was published for io.spinnaker.orca:orca-core (Maven) Jun 22, 2026
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files High
GHSA-rpj2-4hq8-938g was published for vcrpy (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders High
CVE-2026-54499 was published for stanza (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai
Duplicate Advisory: picklescan missing detection by simple obfuscation of a `builtins.eval` call Critical
GHSA-j6c9-qvp8-699f was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: Picklescan vulnerable to Arbitrary File Writing Critical
GHSA-rmpp-8wf5-xx5q was published for picklescan (pip) Jun 17, 2026 withdrawn
TYPO3 CMS has Insecure Deserialization via Core API Moderate
CVE-2026-49740 was published for typo3/cms-core (Composer) Jun 12, 2026
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection High
CVE-2025-27511 was published for org.geoserver.extension:gs-db2 (Maven) Jun 11, 2026
H4cking2theGate Credited to H4cking2theGate, jodygarnett, and aaime jodygarnett jodygarnett
aaime aaime
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization High
CVE-2026-41731 was published for org.springframework.kafka:spring-kafka (Maven) Jun 10, 2026
oscerd Credited to oscerd
PHPSpreadsheet has a patch bypass for CVE-2026-34084 Critical
CVE-2026-45034 was published for phpoffice/phpspreadsheet (Composer) Jun 8, 2026
everping Credited to everping
SM41ldRag0n Credited to SM41ldRag0n
AIOHTTP is Vulnerable to Deserialization of Untrusted Data Moderate
CVE-2026-34993 was published for aiohttp (pip) Jun 3, 2026
tsigouris007 Credited to tsigouris007 and YuvalElbar6 YuvalElbar6 YuvalElbar6
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener High
CVE-2026-45077 was published for symfony/monolog-bridge (Composer) May 27, 2026
snoopysecurity Credited to snoopysecurity, nicolas-grekas, and a-tt-om nicolas-grekas nicolas-grekas
a-tt-om a-tt-om
Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction High
CVE-2026-45162 was published for pimcore/pimcore (Composer) May 27, 2026
tikket1 Credited to tikket1
Jenkins LDAP Plugin deserializes data from LDAP referrals without validation Moderate
CVE-2026-48917 was published for org.jenkins-ci.plugins:ldap (Maven) May 27, 2026
ProTip! Advisories are also available from the GraphQL API