Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

552 advisories

Loading
AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation Moderate
CVE-2026-33237 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
Duplicate Advisory: web_search citation redirect SSRF via private-network-allowing policy Moderate
GHSA-44c9-4rg5-qjgq was published for openclaw (npm) Mar 19, 2026 withdrawn
Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview High
CVE-2026-33226 was published for budibase (npm) Mar 18, 2026
da7om85 Credited to da7om85
PinchTab has a Blind SSRF via browser-side redirect bypass in /download URL validation Moderate
CVE-2026-33081 was published for github.com/pinchtab/pinchtab (Go) Mar 18, 2026
Yesuhei Credited to Yesuhei
SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks Moderate
CVE-2026-33060 was published for @aborruso/ckan-mcp-server (npm) Mar 18, 2026
abcgco Credited to abcgco
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy High
CVE-2026-33039 was published for wwbn/avideo (Composer) Mar 17, 2026
bugbunny-research Credited to bugbunny-research
Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint Moderate
CVE-2026-32812 was published for admidio/admidio (Composer) Mar 16, 2026
offset Credited to offset
Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration Moderate
CVE-2026-32828 was published for github.com/akuity/kargo (Go) Mar 16, 2026
maru1009 Credited to maru1009 and krancour krancour krancour
Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation Moderate
CVE-2026-2455 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames Critical
CVE-2026-25534 was published for io.spinnaker.clouddriver:clouddriver-artifacts (Maven) Mar 16, 2026
jaydhulia Credited to jaydhulia and jasonmcintosh jasonmcintosh jasonmcintosh
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL Critical
CVE-2026-32301 was published for github.com/centrifugal/centrifugo (Go) Mar 13, 2026
VarshankNaik Credited to VarshankNaik
@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch Low
CVE-2026-32236 was published for @backstage/plugin-auth-backend (npm) Mar 12, 2026
ha-mcp OAuth 2.1 DCR mode enables network reconnaissance via an error oracle Moderate
CVE-2026-32111 was published for ha-mcp (pip) Mar 12, 2026
yotampe-pluto Credited to yotampe-pluto and julienld julienld julienld
SiYuan has a Full-Read SSRF via /api/network/forwardProxy High
CVE-2026-32110 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 12, 2026
ritikchaddha Credited to ritikchaddha and neo-ai-engineer neo-ai-engineer neo-ai-engineer
Quill vulnerable to SSRF via unvalidated URL from Apple notarization log retrieval Moderate
CVE-2026-31959 was published for github.com/anchore/quill (Go) Mar 11, 2026
Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access High
CVE-2026-31829 was published for flowise (npm) Mar 11, 2026
nlgbao1340 Credited to nlgbao1340
pdfmake is vulnerable to server-side request forgery (SSRF) High
CVE-2026-26801 was published for pdfmake (npm) Mar 10, 2026
mariopepe Credited to mariopepe
MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers High
CVE-2026-27826 was published for mcp-atlassian (pip) Mar 10, 2026
yotampe-pluto Credited to yotampe-pluto and gil-maman-p gil-maman-p gil-maman-p
Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network High
CVE-2026-26118 was published for @azure/mcp (npm) Mar 10, 2026
alzimmermsft Credited to alzimmermsft and vcolin7 vcolin7 vcolin7
vLLM has SSRF Protection Bypass Moderate
CVE-2026-25960 was published for vllm (pip) Mar 9, 2026
RacerZ-fighting Credited to RacerZ-fighting, russellb, DarkLight1337, Isotr0py, and Fushuling russellb russellb
DarkLight1337 DarkLight1337 Isotr0py Isotr0py Fushuling Fushuling
WeKnora has DNS Rebinding Vulnerability in web_fetch Tool that Allows SSRF to Internal Resources High
CVE-2026-30858 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102 and Haruna38 Haruna38 Haruna38
soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import Critical
CVE-2026-30832 was published for github.com/charmbracelet/soft-serve (Go) Mar 6, 2026
vnykmshr Credited to vnykmshr
PinchTab has SSRF with Full Response Exfiltration via Download Handler High
CVE-2026-30834 was published for github.com/pinchtab/pinchtab/cmd/pinchtab (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
WeKnora is Vulnerable to SSRF via Redirection Moderate
CVE-2026-30247 was published for github.com/Tencent/WeKnora (Go) Mar 5, 2026
aleister1102 Credited to aleister1102 and Haruna38 Haruna38 Haruna38
Plane has SSRF via Incomplete IP Validation in Webhook URL Serializer High
CVE-2026-30242 was published for plane (pip) Mar 5, 2026
ByamB4 Credited to ByamB4
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database