Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
61
GitHub Actions
50
Go
3,821
Maven
5,000+
npm
5,000+
NuGet
939
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,357
Swift
54
Unreviewed advisories
All unreviewed
5,000+

758 advisories

Loading
TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function Moderate
GHSA-9m65-766c-r333 was published for @tanstack/start-server-core (npm) May 14, 2026
mufeedvh Credited to mufeedvh
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning High
CVE-2026-45134 was published for langchain (npm) May 13, 2026
Moaaz-0x Credited to Moaaz-0x and berardinellidaniele berardinellidaniele berardinellidaniele
torrentpier has PHP Serialize Injections Critical
GHSA-h29g-c9cx-c73q was published for torrentpier/torrentpier (Composer) May 11, 2026
PhpSecure Credited to PhpSecure
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists High
CVE-2026-44843 was published for langchain-core (pip) May 8, 2026
u-ktdi Credited to u-ktdi, dewankpant, shrutilohani, Moaaz-0x, yardenporat353, pucagit, nick-hollon-lc, and localhost-detect dewankpant dewankpant
shrutilohani shrutilohani Moaaz-0x Moaaz-0x yardenporat353 yardenporat353 pucagit pucagit nick-hollon-lc nick-hollon-lc localhost-detect localhost-detect
Grav has Insecure Deserialization in File Cache Low
CVE-2026-7317 was published for getgrav/grav (Composer) May 5, 2026
devsamuelsantiago Credited to devsamuelsantiago
Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass Critical
GHSA-vj3m-2g9h-vm4p was published for getgrav/grav (Composer) May 5, 2026
Proscan-one Credited to Proscan-one
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41409 Incomplete Fix) Critical
CVE-2026-42778 was published for org.apache.mina:mina-core (Maven) May 1, 2026
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix) Critical
CVE-2026-42779 was published for org.apache.mina:mina-core (Maven) May 1, 2026
fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE Critical
CVE-2026-41586 was published for org.hyperledger.fabric-sdk-java:fabric-sdk-java (Maven) Apr 29, 2026
brodmart Credited to brodmart
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled Critical
CVE-2026-34084 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
calligraf0 Credited to calligraf0
Jenkins Matrix Authorization Strategy Plugin: Unsafe deserialization allows invocation of parameterless constructors Moderate
CVE-2026-42521 was published for org.jenkins-ci.plugins:matrix-auth (Maven) Apr 29, 2026
Apache MINA Vulnerable to Deserialization of Untrusted Data (CVE-2024-52046 Incomplete Fix) Critical
CVE-2026-41409 was published for org.apache.mina:mina-core (Maven) Apr 27, 2026
Apache Camel's Camel-Mail component is vulnerable to Camel message header injection Critical
CVE-2026-33454 was published for org.apache.camel:camel-mail (Maven) Apr 27, 2026
Apache Camel-Infinispan Component Vulnerable to Deserialization of Untrusted Data High
CVE-2026-40858 was published for org.apache.camel:camel-infinispan (Maven) Apr 27, 2026
Apache Camel-Consul component vulnerable to Deserialization of Untrusted Data Moderate
CVE-2026-27172 was published for org.apache.camel:camel-consul (Maven) Apr 27, 2026
Camel-MINA Vulnerable to Deserialization of Untrusted Data High
CVE-2026-40473 was published for org.apache.camel:camel-mina (Maven) Apr 27, 2026
Apache MINA vulnerable to Deserialization of Untrusted Data Critical
CVE-2026-41635 was published for org.apache.mina:mina-core (Maven) Apr 27, 2026
Camel-PQC Vulnerable to Deserialization of Untrusted Data High
CVE-2026-40048 was published for org.apache.camel:camel-pqc (Maven) Apr 27, 2026
k8sGPT has Prompt Injection through its k8sGPT-Operator High
GHSA-rp7v-4384-hfrp was published for github.com/k8sgpt-ai/k8sgpt (Go) Apr 24, 2026
haruki3hhh Credited to haruki3hhh
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization High
CVE-2026-41486 was published for ray (pip) Apr 24, 2026
shakevsky Credited to shakevsky
Apache DolphinScheduler RPC module has a Deserialization of Untrusted Data vulnerability Moderate
CVE-2025-62233 was published for org.apache.dolphinscheduler:dolphinscheduler (Maven) Apr 24, 2026
Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer Critical
CVE-2025-62373 was published for pipecat-ai (pip) Apr 23, 2026
Chenpinji Credited to Chenpinji
camel-infinispan Vulnerable to Deserialization of Untrusted Data High
CVE-2026-6857 was published for org.apache.camel:camel-infinispan (Maven) Apr 22, 2026
OpenMage LTS: Phar Deserialization leads to Remote Code Execution High
CVE-2026-25524 was published for openmage/magento-lts (Composer) Apr 21, 2026
Apache Airflow allows code execution through crafted XCom payloads High
CVE-2026-25917 was published for apache-airflow-core (pip) Apr 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database