Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

97 advisories

Loading
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages Moderate
CVE-2026-35540 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation Moderate
CVE-2026-34740 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints Moderate
CVE-2026-33766 was published for wwbn/avideo (Composer) Mar 26, 2026
kodareef5 Credited to kodareef5
Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL Moderate
CVE-2026-33182 was published for saloonphp/saloon (Composer) Mar 25, 2026
HuajiHD Credited to HuajiHD, JonPurvis, and Sammyjo20 JonPurvis JonPurvis
Sammyjo20 Sammyjo20
AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php Moderate
GHSA-wxjx-r2j2-96fx was published for wwbn/avideo (Composer) Mar 25, 2026
offset Credited to offset
Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents Moderate
CVE-2026-33486 was published for roadiz/documents (Composer) Mar 23, 2026
ROCmertakdag Credited to ROCmertakdag and ambroisemaupate ambroisemaupate ambroisemaupate
Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin Moderate
CVE-2026-32279 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
AVideo has Unauthenticated SSRF via plugin/Live/test.php Critical
CVE-2026-33502 was published for wwbn/avideo (Composer) Mar 20, 2026
Ahmad-jarwan Credited to Ahmad-jarwan
AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy High
CVE-2026-33480 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset
AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass Critical
CVE-2026-33351 was published for wwbn/avideo (Composer) Mar 19, 2026
iconnnjka Credited to iconnnjka
league/commonmark has an embed extension allowed_domains bypass Moderate
CVE-2026-33347 was published for league/commonmark (Composer) Mar 19, 2026
HuajiHD Credited to HuajiHD
AVideo Affected by SSRF in BulkEmbed Thumbnail Fetch Allows Reading Internal Network Resources Moderate
CVE-2026-33294 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation Moderate
CVE-2026-33237 was published for wwbn/avideo (Composer) Mar 19, 2026
offset Credited to offset
AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy High
CVE-2026-33039 was published for wwbn/avideo (Composer) Mar 17, 2026
bugbunny-research Credited to bugbunny-research
Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint Moderate
CVE-2026-32812 was published for admidio/admidio (Composer) Mar 16, 2026
offset Credited to offset
Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint Critical
CVE-2026-28508 was published for idno/known (Composer) Mar 2, 2026
anuraagbaishya Credited to anuraagbaishya
Statamic Vulnerable to Server-Side Request Forgery via Glide Moderate
CVE-2026-28423 was published for statamic/cms (Composer) Mar 1, 2026
dxlerYT Credited to dxlerYT
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php High
CVE-2026-27732 was published for wwbn/avideo (Composer) Feb 25, 2026
arkmarta Credited to arkmarta
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution Moderate
CVE-2026-27129 was published for craftcms/cms (Composer) Feb 24, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation Moderate
CVE-2026-25494 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am Credited to mHe4am
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect Moderate
CVE-2026-25493 was published for craftcms/cms (Composer) Feb 9, 2026
mHe4am Credited to mHe4am
Craft CMS: save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host Moderate
CVE-2026-25492 was published for craftcms/craft (Composer) Feb 9, 2026
LeftenantZero Credited to LeftenantZero
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation Moderate
CVE-2025-68437 was published for craftcms/cms (Composer) Jan 5, 2026
mHe4am Credited to mHe4am
Grav may be vulnerable to SSRF attack via Twig Templates Critical
CVE-2025-66844 was published for getgrav/grav (Composer) Dec 15, 2025
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice Low
GHSA-3cpp-fv95-mpr5 was published for shopware/core (Composer) Oct 21, 2025
larskemper Credited to larskemper
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database