Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

76 advisories

Loading
PyYAML insecurely deserializes YAML strings leading to arbitrary code execution Critical
CVE-2017-18342 was published for PyYAML (pip) Jan 4, 2019
theinfosecguy Credited to theinfosecguy
Apache Fory PyFory Deserialization of Untrusted Data Critical
CVE-2026-48207 was published for pyfory (pip) May 21, 2026
HGWAYEN Credited to HGWAYEN
Duplicate Advisory: Picklescan vulnerable to Arbitrary File Writing Critical
GHSA-rmpp-8wf5-xx5q was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: picklescan missing detection by simple obfuscation of a `builtins.eval` call Critical
GHSA-j6c9-qvp8-699f was published for picklescan (pip) Jun 17, 2026 withdrawn
Kedro has Arbitrary Code Execution via Malicious Logging Configuration Critical
CVE-2026-35171 was published for kedro (pip) Apr 3, 2026
Wernerina Credited to Wernerina
Apache IoTDB: Deserialization of untrusted Data Critical
CVE-2025-48459 was published for apache-iotdb (Maven) Sep 24, 2025
cai0duque Credited to cai0duque
SGLang: Unauthenticated RCE via --enable-custom-logit-processor Critical
CVE-2026-7304 was published for sglang (pip) May 18, 2026
SGLanG: Multimodal scheduler deserializes untrusted pickle data on 0.0.0.0 ROUTER socket Critical
CVE-2026-7301 was published for sglang (pip) May 18, 2026
Ludwig framework is vulnerable to insecure deserialization through its predict() method. Critical
CVE-2026-31237 was published for ludwig (pip) May 12, 2026
Ludwig framework is vulnerable to insecure deserialization in its model serving component Critical
CVE-2026-31238 was published for ludwig (pip) May 12, 2026
Horovod contains an insecure deserialization vulnerability in its KVStore HTTP server component Critical
CVE-2026-31234 was published for horovod (pip) May 12, 2026
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading Critical
CVE-2026-39890 was published for praisonai (pip) Apr 8, 2026
offset Credited to offset
Hugging Face smolagents: Unsafe deserialization in Remote Python Executor leads to RCE Critical
CVE-2025-14931 was published for smolagents (pip) Dec 23, 2025
Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer Critical
CVE-2025-62373 was published for pipecat-ai (pip) Apr 23, 2026
Chenpinji Credited to Chenpinji
Azure AI Language Authoring Elevation of Privilege Vulnerability can Lead to RCE Critical
CVE-2026-21531 was published for azure-ai-language-conversations-authoring (pip) Feb 10, 2026
scottaddie Credited to scottaddie
EPyT-Flow vulnerable to unsafe JSON deserialization (__type__) Critical
CVE-2026-25632 was published for epyt-flow (pip) Feb 4, 2026
syphonetic Credited to syphonetic
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs Critical
CVE-2025-68664 was published for langchain-core (pip) Dec 23, 2025
0xn3va Credited to 0xn3va, yardenporat353, VladimirEliTokarev, eyurtsev, ccurme, mdrxy, and hntrl yardenporat353 yardenporat353
VladimirEliTokarev VladimirEliTokarev eyurtsev eyurtsev ccurme ccurme mdrxy mdrxy hntrl hntrl
Modular Max Serve has Unsafe Deserialization vulnerability Critical
CVE-2025-60455 was published for modular (pip) Nov 18, 2025
Apache Pyfory python is vulnerable to deserialization of untrusted data Critical
CVE-2025-61622 was published for pyfory (pip) Oct 1, 2025
ProTip! Advisories are also available from the GraphQL API