GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
77 advisories
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
Critical
CVE-2026-42281
was published
for
magicmirror
(npm)
May 5, 2026
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
Critical
CVE-2026-40280
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
Apr 30, 2026
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
Critical
CVE-2026-35459
was published
for
pyload-ng
(pip)
Apr 4, 2026
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Critical
CVE-2026-31818
was published
for
@budibase/backend-core
(npm)
Apr 3, 2026
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
Critical
CVE-2026-32871
was published
for
fastmcp
(pip)
Mar 31, 2026
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
Critical
CVE-2026-33992
was published
for
pyload-ng
(pip)
Mar 27, 2026
AVideo has Unauthenticated SSRF via plugin/Live/test.php
Critical
CVE-2026-33502
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass
Critical
CVE-2026-33351
was published
for
wwbn/avideo
(Composer)
Mar 19, 2026
Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Critical
CVE-2026-25534
was published
for
io.spinnaker.clouddriver:clouddriver-artifacts
(Maven)
Mar 16, 2026
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Critical
CVE-2026-32301
was published
for
github.com/centrifugal/centrifugo
(Go)
Mar 13, 2026
soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import
Critical
CVE-2026-30832
was published
for
github.com/charmbracelet/soft-serve
(Go)
Mar 6, 2026
Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint
Critical
CVE-2026-28508
was published
for
idno/known
(Composer)
Mar 2, 2026
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
Critical
CVE-2026-27739
was published
for
@angular/ssr
(npm)
Feb 25, 2026
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall
Critical
CVE-2026-22039
was published
for
github.com/kyverno/kyverno
(Go)
Jan 27, 2026
ZITADEL Vulnerable to Unauthenticated Full-Read SSRF via V2 Login
Critical
CVE-2025-67494
was published
for
github.com/zitadel/zitadel
(Go)
Dec 8, 2025
Soft Serve is vulnerable to SSRF through its Webhooks
Critical
CVE-2025-64522
was published
for
github.com/charmbracelet/soft-serve
(Go)
Nov 10, 2025
BentoML SSRF Vulnerability in File Upload Processing
Critical
CVE-2025-54381
was published
for
bentoml
(pip)
Jul 29, 2025
GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)
Critical
CVE-2024-34711
was published
for
org.geoserver.main:gs-main
(Maven)
Jun 10, 2025
LNbits Lightning Network Payment System Vulnerable to Server-Side Request Forgery via LNURL Authentication Callback
Critical
CVE-2025-32013
was published
for
lnbits
(pip)
Apr 7, 2025
http4k has a potential XXE (XML External Entity Injection) vulnerability
Critical
CVE-2024-55875
was published
for
org.http4k:http4k-format-xml
(Maven)
Dec 12, 2024
ProTip!
Advisories are also available from the
GraphQL API