GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
2,224 advisories
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
High
CVE-2026-43884
was published
for
wwbn/avideo
(Composer)
May 5, 2026
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass
Moderate
CVE-2026-43879
was published
for
wwbn/avideo
(Composer)
May 5, 2026
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
Critical
CVE-2026-42281
was published
for
magicmirror
(npm)
May 5, 2026
open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`
High
CVE-2026-42260
was published
for
open-websearch
(npm)
May 5, 2026
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
High
CVE-2026-43929
was published
for
ssrfcheck
(npm)
May 5, 2026
ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid
High
CVE-2025-8267
was published
for
ssrfcheck
(npm)
May 5, 2026
link-preview-js vulnerable to IPv6 and internal loopback attacks
High
CVE-2026-43897
was published
for
link-preview-js
(npm)
May 5, 2026
Admidio has an incomplete fix for CVE-2026-32812 (SSRF)
Moderate
CVE-2026-42194
was published
for
admidio/admidio
(Composer)
May 5, 2026
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser
Low
CVE-2026-42188
was published
for
org.geysermc.geyser:core
(Maven)
May 5, 2026
requests-hardened is Vulnerable to Server-Side Request Forgery
Moderate
CVE-2026-42175
was published
for
requests-hardened
(pip)
May 5, 2026
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter
Moderate
CVE-2026-42140
was published
for
org.xwiki.contrib.plantuml:macro-plantuml-macro
(Maven)
May 5, 2026
edx-enterprise has SSRF via SAML metadata URL in sync_provider_data endpoint
High
CVE-2026-42860
was published
for
edx-enterprise
(pip)
May 5, 2026
Axios: no_proxy bypass via IP alias allows SSRF
Moderate
CVE-2026-42038
was published
for
axios
(npm)
May 5, 2026
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
High
CVE-2026-42043
was published
for
axios
(npm)
May 5, 2026
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)
High
CVE-2026-42313
was published
for
pyload-ng
(pip)
May 4, 2026
OpenClaw validates Zalo outbound photo URLs through the SSRF guard
Moderate
GHSA-2hh7-c75g-qj2r
was published
for
openclaw
(npm)
May 4, 2026
Incus has Blind SSRF via Image Import Preflight HEAD
Moderate
CVE-2026-35527
was published
for
github.com/lxc/incus/v6/cmd/incusd
(Go)
May 4, 2026
ProTip!
Advisories are also available from the
GraphQL API