GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,055
Erlang
29
GitHub Actions
19
Go
1,889
Maven
5,000+
npm
3,605
NuGet
638
pip
3,208
Pub
10
RubyGems
852
Rust
816
Swift
35
Unreviewed advisories
All unreviewed
5,000+
497 advisories
Filter by severity
ThinkPHP deserialization vulnerability
Critical
CVE-2024-44902
was published
for
topthink/framework
(Composer)
Sep 9, 2024
Apache Airflow vulnerable arbitrary code execution via Spark server
High
CVE-2023-40195
was published
for
apache-airflow-providers-apache-spark
(pip)
Aug 28, 2023
CoAPthon3 vulnerable to Deserialization of Untrusted Data
High
CVE-2018-12679
was published
for
CoAPthon3
(pip)
Apr 8, 2019
Deserialization of Untrusted Data in Liferay Portal
Critical
CVE-2020-7961
was published
for
com.liferay.portal:com.liferay.portal.kernel
(Maven)
May 24, 2022
ntlk unsafe deserialization vulnerability
High
CVE-2024-39705
was published
for
nltk
(pip)
Jun 28, 2024
Apache James server: Privilege escalation via JMX pre-authentication deserialization
Critical
CVE-2023-51518
was published
for
org.apache.james:james-server
(Maven)
Feb 27, 2024
nGrinder vulnerable to unsafe Java objects deserialization
Critical
CVE-2024-28213
was published
for
org.ngrinder:ngrinder-core
(Maven)
Mar 7, 2024
nukeviet Deserialization of Untrusted Data vulnerability
High
CVE-2024-36528
was published
for
nukeviet/nukeviet
(Composer)
Jun 10, 2024
image-optimizer allows PHAR deserialization
High
CVE-2024-34515
was published
for
spatie/image-optimizer
(Composer)
May 5, 2024
RDoc RCE vulnerability with .rdoc_options
Moderate
CVE-2024-27281
was published
for
rdoc
(RubyGems)
Mar 25, 2024
Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service
High
CVE-2024-22871
was published
for
org.clojure:clojure
(Maven)
Feb 29, 2024
Redisson vulnerable to Deserialization of Untrusted Data
Critical
CVE-2023-42809
was published
for
org.redisson:redisson
(Maven)
Aug 5, 2024
XXL-RPC Deserialization of Untrusted Data vulnerability
Critical
CVE-2023-45146
was published
for
com.xuxueli:xxl-rpc-core
(Maven)
Aug 5, 2024
Apache Linkis DataSource's JDBC Datasource Module with DB2 has JNDI Injection vulnerability
High
CVE-2023-49566
was published
for
org.apache.linkis:linkis-datasource
(Maven)
Jul 15, 2024
TorrentPier Deserialization of Untrusted Data vulnerability
Critical
CVE-2024-40624
was published
for
torrentpier/torrentpier
(Composer)
Jul 15, 2024
Apache Linkis DataSource remote code execution vulnerability
High
CVE-2023-46801
was published
for
org.apache.linkis:linkis-datasource
(Maven)
Jul 15, 2024
pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user
Critical
CVE-2024-2044
was published
for
pgAdmin4
(pip)
Mar 7, 2024
Apache InLong: Logged-in user could exploit an arbitrary file read vulnerability
Critical
CVE-2024-26580
was published
for
org.apache.inlong:manager-common
(Maven)
Mar 6, 2024
Apache Jena vulnerable to Deserialization of Untrusted Data
Critical
CVE-2022-45136
was published
for
org.apache.jena:jena-sdb
(Maven)
Nov 14, 2022
H2O vulnerable to Deserialization of Untrusted Data
High
CVE-2024-6960
was published
for
ai.h2o:h2o-core
(Maven)
Jul 21, 2024
.NET Denial of Service Vulnerability
High
CVE-2023-21538
was published
for
Microsoft.NetCore.App.Runtime.linux-arm
(NuGet)
Jan 10, 2023
REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering
High
CVE-2017-9805
was published
for
org.apache.struts:struts2-rest-plugin
(Maven)
Oct 16, 2018
Remote code injection in Log4j
Critical
CVE-2021-44228
was published
for
com.guicedee.services:log4j-core
(Maven)
Dec 10, 2021
Gadget chain in Symfony 1 due to uncontrolled unserialized input in sfNamespacedParameterHolder
Moderate
CVE-2024-28861
was published
for
friendsofsymfony1/symfony1
(Composer)
Mar 22, 2024
jackson-databind mishandles the interaction between serialization gadgets and typing
High
CVE-2020-10672
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Apr 23, 2020
ProTip!
Advisories are also available from the
GraphQL API