GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,541 advisories
Filter by severity
Weblate SSRF: outbound URL guard misses some private ranges
Moderate
CVE-2026-50127
was published
for
weblate
(pip)
Jul 7, 2026
oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)
Moderate
CVE-2026-53508
was published
for
github.com/oasdiff/oasdiff
(Go)
Jul 7, 2026
NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest...
Moderate
Unreviewed
CVE-2026-58468
was published
Jul 7, 2026
LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models...
Critical
Unreviewed
CVE-2026-59707
was published
Jul 7, 2026
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
Critical
CVE-2026-53513
was published
for
@better-auth/sso
(npm)
Jul 7, 2026
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)
Moderate
CVE-2026-53509
was published
for
@aborruso/ckan-mcp-server
(npm)
Jul 7, 2026
Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality
Moderate
CVE-2026-34225
was published
for
open-webui
(pip)
Jul 7, 2026
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs
High
CVE-2026-33655
was published
for
github.com/QuantumNous/new-api
(Go)
Jul 7, 2026
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write
High
GHSA-qrwj-vh9x-gw5v
was published
for
github.com/coder/coder/v2
(Go)
Jul 6, 2026
Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile
Moderate
CVE-2026-54637
was published
for
d7y.io/dragonfly/v2
(Go)
Jul 6, 2026
flyto-core has SSRF guard bypass via IPv6 transition addresses (IPv4-mapped / 6to4 / NAT64) in validate_url_ssrf
High
CVE-2026-55787
was published
for
flyto-core
(pip)
Jul 6, 2026
A flaw has been found in AIAnytime Awesome-MCP-Server up to...
Low
Unreviewed
CVE-2026-14748
was published
Jul 5, 2026
Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized...
Moderate
Unreviewed
CVE-2026-58278
was published
Jul 3, 2026
Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized...
High
Unreviewed
CVE-2026-57993
was published
Jul 3, 2026
Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized...
Moderate
Unreviewed
CVE-2026-57987
was published
Jul 3, 2026
The WP Import Export Lite plugin for WordPress is vulnerable to Server-Side Request Forgery in...
Moderate
Unreviewed
CVE-2026-11397
was published
Jul 3, 2026
Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an...
Critical
Unreviewed
CVE-2026-57100
was published
Jul 3, 2026
Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to elevate...
Critical
Unreviewed
CVE-2026-45499
was published
Jul 3, 2026
AutoBangumi before 3.2.8 contains a server-side request forgery (SSRF) vulnerability that allows...
Moderate
Unreviewed
CVE-2026-59101
was published
Jul 2, 2026
LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows...
High
Unreviewed
CVE-2026-59095
was published
Jul 2, 2026
Mautic Focus component Vulnerable to SSRF
Moderate
CVE-2026-9557
was published
for
mautic/core
(Composer)
Jul 2, 2026
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch
Moderate
GHSA-j5qp-p44g-2m49
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction
Moderate
GHSA-2944-57xv-2682
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)
Moderate
GHSA-xw57-23p8-9wc5
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request
High
CVE-2026-50288
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API