Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,673
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,891
Pub
13
RubyGems
1,051
Rust
1,315
Swift
53
Unreviewed advisories
All unreviewed
5,000+

650 advisories

Loading
AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() High
CVE-2026-43884 was published for wwbn/avideo (Composer) May 5, 2026
SnailSploit Credited to SnailSploit
AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass Moderate
CVE-2026-43879 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint Critical
CVE-2026-42281 was published for magicmirror (npm) May 5, 2026
Astaruf Credited to Astaruf
open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname` High
CVE-2026-42260 was published for open-websearch (npm) May 5, 2026
shmulc8 Credited to shmulc8
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs High
CVE-2026-43929 was published for ssrfcheck (npm) May 5, 2026
hits313 Credited to hits313
ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid High
CVE-2025-8267 was published for ssrfcheck (npm) May 5, 2026
lirantal Credited to lirantal
link-preview-js vulnerable to IPv6 and internal loopback attacks High
CVE-2026-43897 was published for link-preview-js (npm) May 5, 2026
Andrew-most-likely Credited to Andrew-most-likely and ospfranco ospfranco ospfranco
Admidio has an incomplete fix for CVE-2026-32812 (SSRF) Moderate
CVE-2026-42194 was published for admidio/admidio (Composer) May 5, 2026
decsecre583 Credited to decsecre583
Geyser Vulnerable to Server-Side Request Forgery (SSRF) via Player Head Texture URL in Geyser Low
CVE-2026-42188 was published for org.geysermc.geyser:core (Maven) May 5, 2026
mugi-sec Credited to mugi-sec and onebeastchris onebeastchris onebeastchris
requests-hardened is Vulnerable to Server-Side Request Forgery Moderate
CVE-2026-42175 was published for requests-hardened (pip) May 5, 2026
hits313 Credited to hits313
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter Moderate
CVE-2026-42140 was published for org.xwiki.contrib.plantuml:macro-plantuml-macro (Maven) May 5, 2026
lukasz-rybak Credited to lukasz-rybak
FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft Critical
CVE-2026-42864 was published for firefighter-incident (pip) May 5, 2026
edx-enterprise has SSRF via SAML metadata URL in sync_provider_data endpoint High
CVE-2026-42860 was published for edx-enterprise (pip) May 5, 2026
ik0z Credited to ik0z
Axios: no_proxy bypass via IP alias allows SSRF Moderate
CVE-2026-42038 was published for axios (npm) May 5, 2026
srisowmya2000 Credited to srisowmya2000
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 High
CVE-2026-42043 was published for axios (npm) May 5, 2026
sachinpatilpsp Credited to sachinpatilpsp and IAMolofficial IAMolofficial IAMolofficial
pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586) High
CVE-2026-42313 was published for pyload-ng (pip) May 4, 2026
shmulc8 Credited to shmulc8
OpenClaw validates Zalo outbound photo URLs through the SSRF guard Moderate
GHSA-2hh7-c75g-qj2r was published for openclaw (npm) May 4, 2026
foodlook Credited to foodlook
Incus has Blind SSRF via Image Import Preflight HEAD Moderate
CVE-2026-35527 was published for github.com/lxc/incus/v6/cmd/incusd (Go) May 4, 2026
stamparm Credited to stamparm and stgraber stgraber stgraber
n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders High
CVE-2026-42449 was published for n8n-mcp (npm) Apr 30, 2026
manthanghasadiya Credited to manthanghasadiya
Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url Moderate
CVE-2026-41654 was published for weblate (pip) Apr 30, 2026
fg0x0 Credited to fg0x0 and nijel nijel nijel
Gotenberg Vulnerable to Unauthenticated SSRF via Unfiltered Webhook URL High
CVE-2026-39383 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
S-Senhaji Credited to S-Senhaji
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection Critical
CVE-2026-40280 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 30, 2026
morimori-dev Credited to morimori-dev
i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters High
CVE-2026-42353 was published for i18next-http-middleware (npm) Apr 29, 2026
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber High
CVE-2026-42352 was published for pygeoapi (pip) Apr 29, 2026
Elnimo-00 Credited to Elnimo-00
Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services High
GHSA-wr32-99hh-6f35 was published for github.com/0xJacky/Nginx-UI (Go) Apr 29, 2026
miffyaa Credited to miffyaa
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database