Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

1,204 advisories

Loading
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization High
CVE-2026-41731 was published for org.springframework.kafka:spring-kafka (Maven) Jun 10, 2026
oscerd Credited to oscerd
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection High
CVE-2025-27511 was published for org.geoserver.extension:gs-db2 (Maven) Jun 11, 2026
H4cking2theGate Credited to H4cking2theGate, jodygarnett, and aaime jodygarnett jodygarnett
aaime aaime
Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing... High Unreviewed
CVE-2026-41699 was published Jun 11, 2026
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform... High Unreviewed
CVE-2026-20251 was published Jun 10, 2026
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have... High Unreviewed
CVE-2026-53435 was published Jun 10, 2026
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in... High Unreviewed
CVE-2026-10721 was published Jun 10, 2026
JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check,... High Unreviewed
CVE-2026-41732 was published Jun 10, 2026
An attacker with write permissions to the database table managed by... High Unreviewed
CVE-2026-40993 was published Jun 10, 2026
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to... High Unreviewed
CVE-2026-45484 was published Jun 9, 2026
A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The... High Unreviewed
CVE-2026-32590 was published Apr 8, 2026
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code... High Unreviewed
CVE-2026-8365 was published Jun 9, 2026
In an untrusted JMS environment, org.springframework.jms.support.converter... High Unreviewed
CVE-2026-41855 was published Jun 9, 2026
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning High
CVE-2026-45134 was published for langchain (npm) May 13, 2026
Moaaz-0x Credited to Moaaz-0x and berardinellidaniele berardinellidaniele berardinellidaniele
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists High
CVE-2026-44843 was published for langchain-core (pip) May 8, 2026
u-ktdi Credited to u-ktdi, dewankpant, shrutilohani, Moaaz-0x, yardenporat353, pucagit, nick-hollon-lc, and localhost-detect dewankpant dewankpant
shrutilohani shrutilohani Moaaz-0x Moaaz-0x yardenporat353 yardenporat353 pucagit pucagit nick-hollon-lc nick-hollon-lc localhost-detect localhost-detect
Deserialization of Untrusted Data in Gson High
CVE-2022-25647 was published for com.google.code.gson:gson (Maven) May 3, 2022
MONAI: Unsafe torch usage may lead to arbitrary code execution High
CVE-2025-58756 was published for monai (pip) Sep 9, 2025
h3rrr Credited to h3rrr
Monai: Unsafe use of Pickle deserialization may lead to RCE High
CVE-2025-58757 was published for monai (pip) Sep 9, 2025
h3rrr Credited to h3rrr
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote... High Unreviewed
CVE-2026-7654 was published Jun 6, 2026
Fickling has Code Injection vulnerability via pty.spawn() High
CVE-2025-67748 was published for fickling (pip) Dec 15, 2025
ajohnston9 Credited to ajohnston9 and 0x00nier 0x00nier 0x00nier
Apache Airflow allows code execution through crafted XCom payloads High
CVE-2026-25917 was published for apache-airflow-core (pip) Apr 18, 2026
Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API High
CVE-2026-33858 was published for apache-airflow (pip) Apr 13, 2026
Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization... High Unreviewed
CVE-2026-25551 was published Jun 4, 2026
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the... High Unreviewed
CVE-2026-7888 was published Jun 3, 2026
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE High
CVE-2026-42211 was published for react-router (npm) Jun 3, 2026
SM41ldRag0n Credited to SM41ldRag0n
camel-infinispan Vulnerable to Deserialization of Untrusted Data High
CVE-2026-6857 was published for org.apache.camel:camel-infinispan (Maven) Apr 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database