GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,076
Erlang
29
GitHub Actions
19
Go
1,895
Maven
5,000+
npm
3,630
NuGet
638
pip
3,244
Pub
10
RubyGems
862
Rust
818
Swift
35
Unreviewed advisories
All unreviewed
5,000+
123 advisories
Filter by severity
Deserialization of Untrusted Data in Apache commons collections
Critical
CVE-2015-7501
was published
for
commons-collections:commons-collections
(Maven)
May 13, 2022
Apache MyFaces Trinidad Deserialization Vulnerability
Critical
CVE-2016-5019
was published
for
org.apache.myfaces.trinidad:trinidad
(Maven)
May 13, 2022
Apache OpenMeetings RCE
Critical
CVE-2016-8736
was published
for
org.apache.openmeetings:openmeetings-parent
(Maven)
May 14, 2022
Deserialization of Untrusted Data in Apache Log4j
Critical
CVE-2022-23307
was published
for
log4j:log4j
(Maven)
Jan 19, 2022
Deserialization of Untrusted Data in Log4j
Critical
CVE-2019-17571
was published
for
log4j:log4j
(Maven)
Jan 6, 2020
Apache Flex BlazeDS unsafe deserialization
Critical
CVE-2017-5641
was published
for
org.apache.flex.blazeds:flex-messaging-core
(Maven)
May 13, 2022
Pippo RCE Vulnerability
Critical
CVE-2018-18240
was published
for
ro.pippo:pippo-core
(Maven)
May 13, 2022
Mulesoft Mule Unsafe Deserialization
Critical
CVE-2019-13116
was published
for
org.mule.runtime:mule
(Maven)
May 24, 2022
jackson-databind mishandles the interaction between serialization gadgets and typing
Critical
CVE-2020-9547
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
May 15, 2020
jackson-databind polymorphic typing issue
Critical
CVE-2019-17531
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Nov 13, 2019
jackson-databind polymorphic typing issue
Critical
CVE-2019-16943
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Nov 13, 2019
Arbitrary Code Execution in jackson-databind
Critical
CVE-2018-14718
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jan 4, 2019
Arbitrary Code Execution in jackson-databind
Critical
CVE-2018-14719
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jan 4, 2019
Improper Input Validation in jackson-databind
Critical
CVE-2019-17267
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 15, 2020
Polymorphic Typing issue in FasterXML jackson-databind
Critical
CVE-2019-16335
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Sep 23, 2019
Unsafe deserialization in Apache MINA SSHD
Critical
CVE-2022-45047
was published
for
org.apache.sshd:sshd-common
(Maven)
Nov 16, 2022
Apache Flume vulnerable to remote code execution via deserialization of unsafe providerURL
Critical
CVE-2022-42468
was published
for
org.apache.flume.flume-ng-sources:flume-jms-source
(Maven)
Oct 26, 2022
JFinal Java Deserialization Vulnerability
Critical
CVE-2021-31649
was published
for
com.jfinal:jfinal
(Maven)
May 24, 2022
Apache SOAP contains unauthenticated RPCRouterServlet
Critical
CVE-2022-45378
was published
for
soap:soap
(Maven)
Nov 14, 2022
XML External Entity Reference (XXE) in jackson-databind
Critical
CVE-2018-14720
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jan 4, 2019
Deserialization of Untrusted Data in jackson-databind due to polymorphic deserialization
Critical
CVE-2018-19360
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jan 4, 2019
Deserialization of Untrusted Data in jackson-databind
Critical
CVE-2020-8840
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Mar 4, 2020
Pivotal Spring Framework contains unsafe Java deserialization methods
Critical
CVE-2016-1000027
was published
for
org.springframework:spring-web
(Maven)
May 24, 2022
Apache Linkis JDBC EngineConn has deserialization vulnerability
Critical
CVE-2023-29215
was published
for
org.apache.linkis:linkis-engineconn
(Maven)
Apr 10, 2023
Apache Linkis DatasourceManager module has deserialization vulnerability
Critical
CVE-2023-29216
was published
for
org.apache.linkis:linkis-datasource
(Maven)
Apr 10, 2023
ProTip!
Advisories are also available from the
GraphQL API