Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

299 advisories

Loading
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992) Critical
CVE-2026-35459 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist Critical
CVE-2026-31818 was published for @budibase/backend-core (npm) Apr 3, 2026
Moonster8282 Credited to Moonster8282
Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate... Critical Unreviewed
CVE-2026-33107 was published Apr 3, 2026
Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an... Critical Unreviewed
CVE-2026-26135 was published Apr 3, 2026
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability Critical
CVE-2026-32871 was published for fastmcp (pip) Mar 31, 2026
Pr00fOf3xpl0it Credited to Pr00fOf3xpl0it and Jaynornj Jaynornj Jaynornj
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration Critical
CVE-2026-33992 was published for pyload-ng (pip) Mar 27, 2026
DhiyaneshGeek Credited to DhiyaneshGeek
AVideo has Unauthenticated SSRF via plugin/Live/test.php Critical
CVE-2026-33502 was published for wwbn/avideo (Composer) Mar 20, 2026
Ahmad-jarwan Credited to Ahmad-jarwan
Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to... Critical Unreviewed
CVE-2026-32169 was published Mar 19, 2026
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass Critical
CVE-2026-33351 was published for wwbn/avideo (Composer) Mar 19, 2026
iconnnjka Credited to iconnnjka
Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames Critical
CVE-2026-25534 was published for io.spinnaker.clouddriver:clouddriver-artifacts (Maven) Mar 16, 2026
jaydhulia Credited to jaydhulia and jasonmcintosh jasonmcintosh jasonmcintosh
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL Critical
CVE-2026-32301 was published for github.com/centrifugal/centrifugo (Go) Mar 13, 2026
VarshankNaik Credited to VarshankNaik
An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in oslabs-beta... Critical Unreviewed
CVE-2025-70042 was published Mar 9, 2026
soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import Critical
CVE-2026-30832 was published for github.com/charmbracelet/soft-serve (Go) Mar 6, 2026
vnykmshr Credited to vnykmshr
Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint Critical
CVE-2026-28508 was published for idno/known (Composer) Mar 2, 2026
anuraagbaishya Credited to anuraagbaishya
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline Critical
CVE-2026-27739 was published for @angular/ssr (npm) Feb 25, 2026
Yenya030 Credited to Yenya030, alan-agius4, securityMB, AndrewKushnir, josephperrott, and dgp1130 alan-agius4 alan-agius4
securityMB securityMB AndrewKushnir AndrewKushnir josephperrott josephperrott dgp1130 dgp1130
Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve remote code... Critical Unreviewed
CVE-2026-26339 was published Feb 19, 2026
SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery (SSRF). The PDF... Critical Unreviewed
CVE-2025-55853 was published Feb 19, 2026
Server-Side Request Forgery (SSRF) vulnerability in Teknolist Computer Systems Software... Critical Unreviewed
CVE-2025-11242 was published Feb 10, 2026
Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the... Critical Unreviewed
CVE-2025-46651 was published Feb 3, 2026
Kyverno Cross-Namespace Privilege Escalation via Policy apiCall Critical
CVE-2026-22039 was published for github.com/kyverno/kyverno (Go) Jan 27, 2026
thevilledev Credited to thevilledev
Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server... Critical Unreviewed
CVE-2026-22482 was published Jan 22, 2026
Server-Side Request Forgery (SSRF) vulnerability in Marco Milesi ANAC XML Viewer anac-xml-viewer... Critical Unreviewed
CVE-2025-64252 was published Jan 22, 2026
Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Pool Services pool-services... Critical Unreviewed
CVE-2025-62741 was published Jan 22, 2026
Server-Side Request Forgery (SSRF) vulnerability in _nK nK Themes Helper nk-themes-helper allows... Critical Unreviewed
CVE-2025-22726 was published Jan 8, 2026
A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server... Critical Unreviewed
CVE-2024-25181 was published Dec 29, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database