Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

2,046 advisories

Loading
WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732) High
CVE-2026-39370 was published for WWBN/AVideo (Composer) Apr 8, 2026
threalwinky Credited to threalwinky
WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services Moderate
CVE-2026-39368 was published for WWBN/AVideo (Composer) Apr 8, 2026
threalwinky Credited to threalwinky
OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection Moderate
GHSA-vjx8-8p7h-82gr was published for openclaw (npm) Apr 7, 2026
AntAISecurityLab Credited to AntAISecurityLab
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm High
CVE-2026-33540 was published for github.com/distribution/distribution (Go) Apr 6, 2026
1seal Credited to 1seal
A vulnerability was determined in assafelovic gpt-researcher up to 3.4.3. Affected is an unknown... Moderate Unreviewed
CVE-2026-5633 was published Apr 6, 2026
A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of... Moderate Unreviewed
CVE-2026-5618 was published Apr 6, 2026
A vulnerability was identified in hcengineering Huly Platform 0.7.382. This affects an unknown... Moderate Unreviewed
CVE-2026-5623 was published Apr 6, 2026
A security vulnerability has been detected in imprvhub mcp-browser-agent up to 0.8.0. This... Moderate Unreviewed
CVE-2026-5607 was published Apr 6, 2026
A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by this issue is the... Moderate Unreviewed
CVE-2026-5538 was published Apr 5, 2026
A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the... Moderate Unreviewed
CVE-2026-5530 was published Apr 5, 2026
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992) Critical
CVE-2026-35459 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling Moderate
GHSA-5hr4-253g-cpx2 was published for web3 (pip) Apr 4, 2026
Nadav0077 Credited to Nadav0077
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import High
CVE-2026-35409 was published for directus (npm) Apr 4, 2026
alissonbezerra Credited to alissonbezerra and odgrso odgrso odgrso
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter High
CVE-2026-35187 was published for pyload-ng (pip) Apr 4, 2026
morimori-dev Credited to morimori-dev
vLLM: Server-Side Request Forgery (SSRF) in `download_bytes_from_url ` Moderate
CVE-2026-34753 was published for vllm (pip) Apr 3, 2026
Fushuling Credited to Fushuling, L2ncE, TsingShui, l2yyd5, Danthology, arthur-stat, BoyiZhao, russellb, jperezdealgaba, and Victor-code-Y L2ncE L2ncE
TsingShui TsingShui l2yyd5 l2yyd5 Danthology Danthology arthur-stat arthur-stat BoyiZhao BoyiZhao russellb russellb jperezdealgaba jperezdealgaba Victor-code-Y Victor-code-Y
curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass) High
CVE-2026-33752 was published for curl_cffi (pip) Apr 3, 2026
redyank Credited to redyank
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist Critical
CVE-2026-31818 was published for @budibase/backend-core (npm) Apr 3, 2026
Moonster8282 Credited to Moonster8282
prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in Fal... High Unreviewed
CVE-2026-22664 was published Apr 3, 2026
prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability... Moderate Unreviewed
CVE-2026-22662 was published Apr 3, 2026
A security vulnerability has been detected in mixelpixx Google-Research-MCP... Moderate Unreviewed
CVE-2026-5470 was published Apr 3, 2026
Microsoft Bing Elevation of Privilege Vulnerability Moderate Unreviewed
CVE-2026-32186 was published Apr 3, 2026
A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the... Moderate Unreviewed
CVE-2026-5469 was published Apr 3, 2026
Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages Moderate
CVE-2026-35540 was published for roundcube/roundcubemail (Composer) Apr 3, 2026
Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata High
CVE-2026-35037 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
offset Credited to offset
Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature High
CVE-2026-35036 was published for github.com/lin-snow/ech0 (Go) Apr 3, 2026
VashuVats Credited to VashuVats
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database