Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,026
Maven
5,000+
npm
4,763
NuGet
824
pip
4,366
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

175 advisories

Loading
LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution Moderate
CVE-2026-27794 was published for langgraph-checkpoint (pip) Feb 25, 2026
zdi-disclosures
Credited to zdi-disclosures
datapizza-ai has unsafe deserialization via pickle.loads() in RedisCache Low
CVE-2026-2970 was published for datapizza-ai-core (pip) Feb 23, 2026
NVIDIA NeMo Framework Deserializes Untrusted Data High
CVE-2025-33253 was published for nemo-toolkit (pip) Feb 18, 2026
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution High
CVE-2025-33245 was published for nemo-toolkit (pip) Feb 18, 2026
DiskCache has unsafe pickle deserialization Moderate
CVE-2025-69872 was published for diskcache (pip) Feb 11, 2026
Azure AI Language Authoring Elevation of Privilege Vulnerability can Lead to RCE Critical
CVE-2026-21531 was published for azure-ai-language-conversations-authoring (pip) Feb 10, 2026
scottaddie
Credited to scottaddie
EPyT-Flow vulnerable to unsafe JSON deserialization (__type__) Critical
CVE-2026-25632 was published for epyt-flow (pip) Feb 4, 2026
syphonetic
Credited to syphonetic
Boltz contains an insecure deserialization vulnerability in its molecule loading functionality High
CVE-2025-70560 was published for boltz (pip) Feb 3, 2026
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc High
CVE-2025-70559 was published for pdfminer.six (pip) Nov 7, 2025
sumanrox
Credited to sumanrox
Duplicate Advisory: Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc High
GHSA-8x2r-v9x5-3qgh was published for pdfminer.six (pip) Feb 3, 2026 withdrawn
picklescan vulnerable to arbitrary file create using logging.FileHandler Moderate
GHSA-m7j5-r2p5-c39r was published for picklescan (pip) Feb 2, 2026
ez-lbz
Credited to ez-lbz
picklescan missing detection by simple obfuscation of a `builtins.eval` call High
GHSA-9m3x-qqw2-h32h was published for picklescan (pip) Feb 2, 2026
ogrisel
Credited to ogrisel
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files High
CVE-2026-24747 was published for pytorch (pip) Jan 27, 2026
azraelxuemo
Credited to azraelxuemo
Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization Moderate
CVE-2026-23946 was published for tendenci (pip) Jan 21, 2026
nedlir
Credited to nedlir
docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage High
CVE-2026-24009 was published for docling-core (pip) Jan 22, 2026
avioligo vagenas
PeterStaar-IBM dolfim-ibm tiran
Credited to avioligo, vagenas, PeterStaar-IBM, dolfim-ibm, and tiran
Fickling has Code Injection vulnerability via pty.spawn() High
CVE-2025-67748 was published for fickling (pip) Dec 15, 2025
ajohnston9 0x00nier
Credited to ajohnston9 and 0x00nier
Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list High
CVE-2025-67747 was published for fickling (pip) Dec 15, 2025
0x00nier ajohnston9
Credited to 0x00nier and ajohnston9
Picklescan missing detection when calling pty.spawn High
GHSA-vqmv-47xg-9wpr was published for picklescan (pip) Dec 29, 2025
geo-lit ajohnston9
0x00nier
Credited to geo-lit, ajohnston9, and 0x00nier
Azure Core is vulnerable to deserialization of untrusted data High
CVE-2026-21226 was published for azure-core (pip) Jan 13, 2026
Fickling vulnerable to detection bypass due to "builtins" blindness High
CVE-2026-22612 was published for fickling (pip) Jan 9, 2026
0x-Apollyon
Credited to 0x-Apollyon
Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist High
CVE-2026-22609 was published for fickling (pip) Jan 9, 2026
mldangelo
Credited to mldangelo
Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection High
CVE-2026-22608 was published for fickling (pip) Jan 9, 2026
0x-Apollyon
Credited to 0x-Apollyon
Fickling Blocklist Bypass: cProfile.run() High
CVE-2026-22607 was published for fickling (pip) Jan 9, 2026
beneaththecode
Credited to beneaththecode
Fickling has a bypass via runpy.run_path() and runpy.run_module() High
CVE-2026-22606 was published for fickling (pip) Jan 9, 2026
beneaththecode
Credited to beneaththecode
Arbitrary Code Execution in pdfminer.six via Crafted PDF Input High
CVE-2025-64512 was published for pdfminer.six (pip) Nov 7, 2025
mtolley
Credited to mtolley
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database