GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
2,035 advisories
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
Critical
CVE-2026-35459
was published
for
pyload-ng
(pip)
Apr 4, 2026
web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling
Moderate
GHSA-5hr4-253g-cpx2
was published
for
web3
(pip)
Apr 4, 2026
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
High
CVE-2026-35409
was published
for
directus
(npm)
Apr 4, 2026
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter
High
CVE-2026-35187
was published
for
pyload-ng
(pip)
Apr 4, 2026
vLLM: Server-Side Request Forgery (SSRF) in `download_bytes_from_url `
Moderate
CVE-2026-34753
was published
for
vllm
(pip)
Apr 3, 2026
curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)
High
CVE-2026-33752
was published
for
curl_cffi
(pip)
Apr 3, 2026
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Critical
CVE-2026-31818
was published
for
@budibase/backend-core
(npm)
Apr 3, 2026
Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata
High
CVE-2026-35037
was published
for
github.com/lin-snow/ech0
(Go)
Apr 3, 2026
Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature
High
CVE-2026-35036
was published
for
github.com/lin-snow/ech0
(Go)
Apr 3, 2026
OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery
Moderate
GHSA-9q7v-8mr7-g23p
was published
for
openclaw
(npm)
Apr 2, 2026
PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
High
CVE-2026-34954
was published
for
praisonaiagents
(pip)
Apr 1, 2026
ProTip!
Advisories are also available from the
GraphQL API