Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

552 advisories

Loading
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992) Critical
CVE-2026-35459 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling Moderate
GHSA-5hr4-253g-cpx2 was published for web3 (pip) Apr 4, 2026
Nadav0077 Credited to Nadav0077
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import High
CVE-2026-35409 was published for directus (npm) Apr 4, 2026
alissonbezerra Credited to alissonbezerra and odgrso odgrso odgrso
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter High
CVE-2026-35187 was published for pyload-ng (pip) Apr 4, 2026
morimori-dev Credited to morimori-dev
vLLM: Server-Side Request Forgery (SSRF) in `download_bytes_from_url ` Moderate
CVE-2026-34753 was published for vllm (pip) Apr 3, 2026
Fushuling Credited to Fushuling, L2ncE, TsingShui, l2yyd5, Danthology, arthur-stat, BoyiZhao, russellb, and jperezdealgaba L2ncE L2ncE
TsingShui TsingShui l2yyd5 l2yyd5 Danthology Danthology arthur-stat arthur-stat BoyiZhao BoyiZhao russellb russellb jperezdealgaba jperezdealgaba
curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass) High
CVE-2026-33752 was published for curl_cffi (pip) Apr 3, 2026
redyank Credited to redyank
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist Critical
CVE-2026-31818 was published for @budibase/backend-core (npm) Apr 3, 2026
Moonster8282 Credited to Moonster8282
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages Moderate
CVE-2026-35540 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata High
CVE-2026-35037 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
offset Credited to offset
Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature High
CVE-2026-35036 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
VashuVats Credited to VashuVats
OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery Moderate
GHSA-9q7v-8mr7-g23p was published for openclaw (npm) Apr 2, 2026
tdjackey Credited to tdjackey
a11y-mcp: Server-Side Request Forgery (SSRF) vulnerability in A11yServer function Low
CVE-2026-5323 was published for a11y-mcp (npm) Apr 2, 2026
PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL High
CVE-2026-34954 was published for praisonaiagents (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback High
CVE-2026-34936 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6 Moderate
CVE-2026-34526 was published for sillytavern (npm) Apr 1, 2026
bulmax9797-sketch Credited to bulmax9797-sketch
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows Moderate
CVE-2026-34515 was published for aiohttp (pip) Apr 1, 2026
nvn1729 Credited to nvn1729 and bdraco bdraco bdraco
Payload has Authenticated SSRF via Upload Functionality High
CVE-2026-34746 was published for payload (npm) Apr 1, 2026
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation Moderate
CVE-2026-34740 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
OpenClaw affected by SSRF via unguarded image download in fal provider Low
GHSA-qxgf-hmcj-3xw3 was published for openclaw (npm) Apr 1, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw SSRF guard misses four IPv6 special-use ranges Low
GHSA-g86v-f9qv-rh6m was published for openclaw (npm) Mar 31, 2026
nicky-cc Credited to nicky-cc
Nuxt OG Image vulnerable to Server-Side Request Forgery via user-controlled parameters Moderate
GHSA-pqhr-mp3f-hrpp was published for nuxt-og-image (npm) Mar 31, 2026
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability Critical
CVE-2026-32871 was published for fastmcp (pip) Mar 31, 2026
Pr00fOf3xpl0it Credited to Pr00fOf3xpl0it and Jaynornj Jaynornj Jaynornj
OpenStack Glance is affected by Server-Side Request Forgery (SSRF) Moderate
CVE-2026-34881 was published for glance (pip) Mar 31, 2026
Kyverno is vulnerable to server-side request forgery (SSRF) Moderate
CVE-2026-4789 was published for github.com/kyverno/kyverno (Go) Mar 30, 2026
FHIR Validator: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing Moderate
CVE-2026-34360 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database