Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,487 advisories

Loading
Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding) Moderate
CVE-2026-54242 was published for statamic/cms (Composer) Jun 26, 2026
jqr1449186277 Credited to jqr1449186277
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option Moderate
CVE-2026-49359 was published for pontedilana/php-weasyprint (Composer) Jun 26, 2026
Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host Moderate
CVE-2026-47076 was published for hackney (Erlang) Jun 26, 2026
Ganbagana Credited to Ganbagana and maennchen maennchen maennchen
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy Low
CVE-2026-49262 was published for aimeos/pagible (Composer) Jun 26, 2026
PomPomSaturin Credited to PomPomSaturin
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url Low
GHSA-rp72-5v5q-2446 was published for @cardano402/mcp-server (npm) Jun 26, 2026
MorganOnCode Credited to MorganOnCode
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF High
GHSA-vgrc-hq28-p3xp was published for github.com/apernet/hysteria/core/v2 (Go) Jun 26, 2026
0xlally Credited to 0xlally
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678) Moderate
CVE-2026-48782 was published for pydantic-ai (pip) Jun 26, 2026
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http` High
CVE-2026-44161 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions. Moderate Unreviewed
CVE-2026-57627 was published Jun 26, 2026
Subscriber Server Side Request Forgery (SSRF) in utm.codes <= 1.9.0 versions. Moderate Unreviewed
CVE-2026-56026 was published Jun 26, 2026
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate... Moderate Unreviewed
CVE-2026-4339 was published Jun 26, 2026
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import... Low Unreviewed
CVE-2026-57940 was published Jun 26, 2026
The WSO2 API Manager's message flow component, when processing WS-Addressing headers, does not... High Unreviewed
CVE-2026-2053 was published Jun 26, 2026
A server-side request forgery (SSRF) flaw was found in KubeVirt's virt-api port-forward handler.... Moderate Unreviewed
CVE-2026-13318 was published Jun 26, 2026
A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without... High Unreviewed
CVE-2026-12992 was published Jun 26, 2026
Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise Critical
CVE-2026-55166 was published for lemur (pip) Jun 25, 2026
im-rootkid Credited to im-rootkid
Lemur: Crafted CRL/OCSP URLs in uploaded certificates lead to post-authentication SSRF Moderate
CVE-2026-55162 was published for lemur (pip) Jun 25, 2026
sour-exploit Credited to sour-exploit
Two data sources (DICOMWebProxy and DICOMJSON) shipped in the default configuration fetch an... High Unreviewed
CVE-2026-12473 was published Jun 25, 2026
Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side... Moderate Unreviewed
CVE-2026-56769 was published Jun 25, 2026
MaxKB before 2.10.0 contains a server-side request forgery vulnerability in tool creation and... Moderate Unreviewed
CVE-2026-56779 was published Jun 25, 2026
NewsBlur before version 14.5.0 contains a server-side request forgery vulnerability in the... Moderate Unreviewed
CVE-2026-56771 was published Jun 25, 2026
Jenkins Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external... High Unreviewed
CVE-2026-57303 was published Jun 24, 2026
Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}... Moderate Unreviewed
CVE-2026-13150 was published Jun 24, 2026
The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions... Moderate Unreviewed
CVE-2026-11370 was published Jun 24, 2026
The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions... High Unreviewed
CVE-2026-12095 was published Jun 24, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database