Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

11 advisories

Loading
ImageMagick Vulnerable to Stack Overflow in its MVG Decoder Moderate
CVE-2026-48734 was published for Magick.NET-Q16-AnyCPU (NuGet) Jun 25, 2026
omkhar Credited to omkhar
ImageMagick has an Infinite Loop in subimage-search with crafted image Moderate
CVE-2026-48733 was published for Magick.NET-Q16-AnyCPU (NuGet) Jun 25, 2026
omkhar Credited to omkhar
ImageMagick has a Heap Buffer Underwrite in the Floyd-Steinberg depth dithering method Moderate
CVE-2026-48724 was published for Magick.NET-Q16-AnyCPU (NuGet) Jun 25, 2026
omkhar Credited to omkhar
jackson-databind has @JsonView bypass for setterless creator properties Moderate
CVE-2026-54517 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields Moderate
CVE-2026-54516 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties Moderate
CVE-2026-54515 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar, pjfanning, snieguu, and ataillefer pjfanning pjfanning
snieguu snieguu ataillefer ataillefer
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF) Moderate
CVE-2026-54514 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) High
CVE-2026-54513 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
jackson-databind has a @JsonView bypass for unwrapped creator parameters Moderate
CVE-2026-54518 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions High
CVE-2026-46520 was published for Magick.NET-Q16-AnyCPU (NuGet) May 18, 2026
omkhar Credited to omkhar
ProTip! Advisories are also available from the GraphQL API