Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,760
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

2,412 advisories

Loading
Deserialization of untrusted data vulnerability in OpenText, Inc RightFax on Windows, 64 bit, 32... Critical Unreviewed
CVE-2025-15610 was published Apr 15, 2026
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted... Critical Unreviewed
CVE-2026-34615 was published Apr 14, 2026
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an... High Unreviewed
CVE-2026-32184 was published Apr 14, 2026
Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate... High Unreviewed
CVE-2026-32192 was published Apr 14, 2026
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted... Critical Unreviewed
CVE-2026-27303 was published Apr 14, 2026
The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for... High Unreviewed
CVE-2026-3017 was published Apr 14, 2026
Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to... Critical Unreviewed
CVE-2026-40044 was published Apr 13, 2026
Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API High
CVE-2026-33858 was published for apache-airflow (pip) Apr 13, 2026
Keras has an untrusted deserialization vulnerability High
CVE-2026-1462 was published for keras (pip) Apr 13, 2026
Apache Storm: Deserialization of Untrusted Data vulnerability High
CVE-2026-35337 was published for org.apache.storm:storm-client (Maven) Apr 13, 2026
Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script... Moderate Unreviewed
CVE-2026-25204 was published Apr 13, 2026
React Server Components have a Denial of Service Vulnerability High
CVE-2026-23869 was published for react-server-dom-parcel (npm) Apr 10, 2026
When restoring a session from cache, a pointer from the serialized session data is used in a free... Moderate Unreviewed
CVE-2026-5507 was published Apr 10, 2026
A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1... Critical Unreviewed
CVE-2026-3199 was published Apr 9, 2026
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading Critical
CVE-2026-39890 was published for praisonai (pip) Apr 8, 2026
A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The... High Unreviewed
CVE-2026-32590 was published Apr 8, 2026
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up... Critical Unreviewed
CVE-2026-3296 was published Apr 8, 2026
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute... High Unreviewed
CVE-2026-3357 was published Apr 8, 2026
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization Critical
CVE-2026-39324 was published for rack-session (RubyGems) Apr 8, 2026
sm1ee Credited to sm1ee, ioquatix, and jeremyevans ioquatix ioquatix
jeremyevans jeremyevans
MONAI: Unsafe functions lead to pickle deserialization rce High
GHSA-89gg-p5r5-q6r4 was published for monai (pip) Apr 7, 2026
hnking-star Credited to hnking-star
NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted... High Unreviewed
CVE-2026-24156 was published Apr 7, 2026
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM Critical
CVE-2026-33439 was published for org.openidentityplatform.openam:openam (Maven) Apr 7, 2026
iamnoooob Credited to iamnoooob and hacktronai-research hacktronai-research hacktronai-research
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class Moderate
CVE-2026-1839 was published for transformers (pip) Apr 7, 2026
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) High
CVE-2026-35464 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler Low
CVE-2026-35537 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database