GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,269
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,487
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,541 advisories
Filter by severity
Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized...
High
Unreviewed
CVE-2026-57993
was published
Jul 3, 2026
Server-side request forgery (ssrf) in Microsoft Edge (Chromium-based) allows an unauthorized...
Moderate
Unreviewed
CVE-2026-58278
was published
Jul 3, 2026
The WP Import Export Lite plugin for WordPress is vulnerable to Server-Side Request Forgery in...
Moderate
Unreviewed
CVE-2026-11397
was published
Jul 3, 2026
Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an...
Critical
Unreviewed
CVE-2026-57100
was published
Jul 3, 2026
Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to elevate...
Critical
Unreviewed
CVE-2026-45499
was published
Jul 3, 2026
LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows...
High
Unreviewed
CVE-2026-59095
was published
Jul 2, 2026
AutoBangumi before 3.2.8 contains a server-side request forgery (SSRF) vulnerability that allows...
Moderate
Unreviewed
CVE-2026-59101
was published
Jul 2, 2026
Spatie Laravel Media Library contains a server-side request forgery vulnerability
Moderate
CVE-2026-48555
was published
for
spatie/laravel-medialibrary
(Composer)
May 29, 2026
WeasyPrint has a Server-Side Request Forgery (SSRF) Protection Bypass via HTTP Redirect
High
CVE-2025-68616
was published
for
weasyprint
(pip)
Jan 20, 2026
Mautic Focus component Vulnerable to SSRF
Moderate
CVE-2026-9557
was published
for
mautic/core
(Composer)
Jul 2, 2026
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch
Moderate
GHSA-j5qp-p44g-2m49
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction
Moderate
GHSA-2944-57xv-2682
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)
Moderate
GHSA-xw57-23p8-9wc5
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request
High
CVE-2026-50288
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
OpenClaw's browser act interactions could bypass private-network navigation checks
Moderate
CVE-2026-53812
was published
for
openclaw
(npm)
Jul 2, 2026
A malicious actor with access to the network and low privileges could exploit a Server-Side...
High
Unreviewed
CVE-2026-54401
was published
Jul 2, 2026
A malicious actor with access to the network could exploit a Server-Side Request Forgery (SSRF)...
High
Unreviewed
CVE-2026-55113
was published
Jul 2, 2026
A malicious actor with access to the network and low privileges could exploit a Server-Side...
Critical
Unreviewed
CVE-2026-55115
was published
Jul 2, 2026
Subscriber Server Side Request Forgery (SSRF) in GeoDirectory <= 2.8.161 versions.
Moderate
Unreviewed
CVE-2026-57681
was published
Jul 2, 2026
Unauthenticated Server Side Request Forgery (SSRF) in Paid Member Subscriptions <= 3.0.4 versions.
High
Unreviewed
CVE-2026-57348
was published
Jul 2, 2026
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve()...
Moderate
Unreviewed
CVE-2026-54430
was published
Jul 2, 2026
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
High
CVE-2026-50143
was published
for
@apify/actors-mcp-server
(npm)
Jul 1, 2026
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
High
CVE-2026-50151
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens
Low
CVE-2026-48978
was published
for
oras.land/oras-go
(Go)
Jul 1, 2026
Rancher Fleet has SSRF in Bundle Reader via Unvalidated Helm Repository URL in fleet.yaml
Moderate
CVE-2026-44936
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
ProTip!
Advisories are also available from the
GraphQL API