Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

217 advisories

Loading
amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads() High
CVE-2026-9291 was published for amazon-braket-sdk (pip) Jun 25, 2026
LangGraph Checkpoint: Unsafe JSON deserialization in checkpoint loading Moderate
CVE-2026-48775 was published for langgraph-checkpoint (pip) Jun 25, 2026
pucagit Credited to pucagit
Glances has Insecure Pickle Deserialization in its Version Cache that Leads to Arbitrary Code Execution High
CVE-2026-46607 was published for glances (pip) Jun 22, 2026
sectroyer Credited to sectroyer
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files High
GHSA-rpj2-4hq8-938g was published for vcrpy (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders High
CVE-2026-54499 was published for stanza (pip) Jun 19, 2026
RamiAltai Credited to RamiAltai
Duplicate Advisory: picklescan missing detection by simple obfuscation of a `builtins.eval` call Critical
GHSA-j6c9-qvp8-699f was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: Picklescan vulnerable to Arbitrary File Writing Critical
GHSA-rmpp-8wf5-xx5q was published for picklescan (pip) Jun 17, 2026 withdrawn
AIOHTTP is Vulnerable to Deserialization of Untrusted Data Moderate
CVE-2026-34993 was published for aiohttp (pip) Jun 3, 2026
tsigouris007 Credited to tsigouris007 and YuvalElbar6 YuvalElbar6 YuvalElbar6
APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization Critical
CVE-2026-31072 was published for apscheduler (pip) May 19, 2026
Graphite Has a Pickle Deserialization Vulnerability High
GHSA-qw48-84f6-28gv was published for graphitedb (pip) May 18, 2026
mkh-user Credited to mkh-user
SGLanG: Multimodal scheduler deserializes untrusted pickle data on 0.0.0.0 ROUTER socket Critical
CVE-2026-7301 was published for sglang (pip) May 18, 2026
SGLang: Unauthenticated RCE via --enable-custom-logit-processor Critical
CVE-2026-7304 was published for sglang (pip) May 18, 2026
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning High
CVE-2026-45134 was published for langchain (npm) May 13, 2026
Moaaz-0x Credited to Moaaz-0x and berardinellidaniele berardinellidaniele berardinellidaniele
imgaug contains an insecure deserialization vulnerability in BackgroundAugmenter class within multicore.py module Critical
CVE-2026-31235 was published for imgaug (pip) May 12, 2026
Ludwig framework is vulnerable to insecure deserialization through its predict() method. Critical
CVE-2026-31237 was published for ludwig (pip) May 12, 2026
Ludwig framework is vulnerable to insecure deserialization in its model serving component Critical
CVE-2026-31238 was published for ludwig (pip) May 12, 2026
mamba language model framework vulnerable to insecure deserialization when loading pre-trained models from HuggingFace Hub Critical
CVE-2026-31239 was published for mamba-ssm (pip) May 12, 2026
Horovod contains an insecure deserialization vulnerability in its KVStore HTTP server component Critical
CVE-2026-31234 was published for horovod (pip) May 12, 2026
Snorkel BaseLabeler.load uses an unsafe pickle.load High
CVE-2026-31223 was published for snorkel (pip) May 12, 2026
PyTorch Lightning load_from_checkpoint has an insecure checkpoint deserialization High
CVE-2026-31221 was published for pytorch-lightning (pip) May 12, 2026
Snorkel Trainer.load uses an unsafe torch.load High
CVE-2026-31222 was published for snorkel (pip) May 12, 2026
Snorkel MultitaskClassifier.load uses an unsafe torch.load High
CVE-2026-31224 was published for snorkel (pip) May 12, 2026
pgAdmin 4 has deserialization of untrusted data in its FileBackedSessionManager High
CVE-2026-7818 was published for pgadmin4 (pip) May 11, 2026
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists High
CVE-2026-44843 was published for langchain-core (pip) May 8, 2026
u-ktdi Credited to u-ktdi, dewankpant, shrutilohani, Moaaz-0x, yardenporat353, pucagit, nick-hollon-lc, and localhost-detect dewankpant dewankpant
shrutilohani shrutilohani Moaaz-0x Moaaz-0x yardenporat353 yardenporat353 pucagit pucagit nick-hollon-lc nick-hollon-lc localhost-detect localhost-detect
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization High
CVE-2026-41486 was published for ray (pip) Apr 24, 2026
shakevsky Credited to shakevsky
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database