Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,541 advisories

Loading
Spatie Laravel Media Library contains a server-side request forgery vulnerability Moderate
CVE-2026-48555 was published for spatie/laravel-medialibrary (Composer) May 29, 2026
WeasyPrint has a Server-Side Request Forgery (SSRF) Protection Bypass via HTTP Redirect High
CVE-2025-68616 was published for weasyprint (pip) Jan 20, 2026
g4nkd Credited to g4nkd
Mautic Focus component Vulnerable to SSRF Moderate
CVE-2026-9557 was published for mautic/core (Composer) Jul 2, 2026
r1beirin Credited to r1beirin, patrykgruszka, dungNHVhust, and escopecz patrykgruszka patrykgruszka
dungNHVhust dungNHVhust escopecz escopecz
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch Moderate
GHSA-j5qp-p44g-2m49 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction Moderate
GHSA-2944-57xv-2682 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range) Moderate
GHSA-xw57-23p8-9wc5 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request High
CVE-2026-50288 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
OpenClaw's browser act interactions could bypass private-network navigation checks Moderate
CVE-2026-53812 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
Subscriber Server Side Request Forgery (SSRF) in GeoDirectory <= 2.8.161 versions. Moderate Unreviewed
CVE-2026-57681 was published Jul 2, 2026
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token High
CVE-2026-50143 was published for @apify/actors-mcp-server (npm) Jul 1, 2026
EQSTLab Credited to EQSTLab and 232-323 232-323 232-323
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header High
CVE-2026-50151 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
1seal Credited to 1seal
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens Low
CVE-2026-48978 was published for oras.land/oras-go (Go) Jul 1, 2026
1seal Credited to 1seal
Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml Moderate
CVE-2026-44936 was published for github.com/rancher/fleet (Go) Jul 1, 2026
ProTip! Advisories are also available from the GraphQL API