GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
387 advisories
Filter by severity
Jenkins Active Directory Plugin deserializes data from LDAP referrals without validation
Moderate
CVE-2026-48919
was published
for
org.jenkins-ci.plugins:active-directory
(Maven)
May 27, 2026
Jenkins LDAP Plugin deserializes data from LDAP referrals without validation
Moderate
CVE-2026-48917
was published
for
org.jenkins-ci.plugins:ldap
(Maven)
May 27, 2026
OpenAM has Unsafe Java Deserialization via SNS
High
CVE-2026-45794
was published
for
org.openidentityplatform.openam:openam-push-notification
(Maven)
Jun 25, 2026
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
High
CVE-2026-54512
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
OpenAM: Pre-auth RCE via Java Deserialization in WebAuthn Authenticator Storage
Critical
CVE-2026-45051
was published
for
org.openidentityplatform.openam:openam-auth-webauthn
(Maven)
Jun 24, 2026
OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI
Critical
CVE-2026-46495
was published
for
org.openidentityplatform.opendj:opendj-server-legacy
(Maven)
Jun 22, 2026
Spinnaker has uon-safe yaml deserialization, allowing RCE when using specific types
High
CVE-2026-44795
was published
for
io.spinnaker.orca:orca-core
(Maven)
Jun 22, 2026
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
High
CVE-2026-41731
was published
for
org.springframework.kafka:spring-kafka
(Maven)
Jun 10, 2026
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
High
CVE-2025-27511
was published
for
org.geoserver.extension:gs-db2
(Maven)
Jun 11, 2026
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
Critical
CVE-2026-33728
was published
for
com.datadoghq:dd-java-agent
(Maven)
Mar 26, 2026
Deserialization of Untrusted Data in Log4j
Critical
CVE-2019-17571
was published
for
log4j:log4j
(Maven)
Jan 6, 2020
Deserialization of Untrusted Data in Gson
High
CVE-2022-25647
was published
for
com.google.code.gson:gson
(Maven)
May 3, 2022
Apache IoTDB: Deserialization of untrusted Data
Critical
CVE-2025-48459
was published
for
apache-iotdb
(Maven)
Sep 24, 2025
camel-infinispan Vulnerable to Deserialization of Untrusted Data
High
CVE-2026-6857
was published
for
org.apache.camel:camel-infinispan
(Maven)
Apr 22, 2026
Uncontrolled Resource Consumption in FasterXML jackson-databind
High
CVE-2022-42004
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Oct 3, 2022
fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE
Critical
CVE-2026-41586
was published
for
org.hyperledger.fabric-sdk-java:fabric-sdk-java
(Maven)
Apr 29, 2026
Potential remote code execution in Apache Tomcat
High
CVE-2020-9484
was published
for
org.apache.tomcat.embed:tomcat-embed-core
(Maven)
May 21, 2020
Apache MINA vulnerable to Deserialization of Untrusted Data
Critical
CVE-2026-41635
was published
for
org.apache.mina:mina-core
(Maven)
Apr 27, 2026
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)
Critical
CVE-2026-42779
was published
for
org.apache.mina:mina-core
(Maven)
May 1, 2026
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41409 Incomplete Fix)
Critical
CVE-2026-42778
was published
for
org.apache.mina:mina-core
(Maven)
May 1, 2026
Jenkins Matrix Authorization Strategy Plugin: Unsafe deserialization allows invocation of parameterless constructors
Moderate
CVE-2026-42521
was published
for
org.jenkins-ci.plugins:matrix-auth
(Maven)
Apr 29, 2026
Unsafe Deserialization in jackson-databind
High
CVE-2020-36183
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Dec 9, 2021
Deserialization of untrusted data in Jackson Databind
High
CVE-2020-14062
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 18, 2020
Deserialization of untrusted data in Jackson Databind
High
CVE-2020-14060
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 18, 2020
jackson-databind mishandles the interaction between serialization gadgets and typing
High
CVE-2020-11619
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
May 15, 2020
ProTip!
Advisories are also available from the
GraphQL API