Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,533 advisories

Loading
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url Low
GHSA-rp72-5v5q-2446 was published for @cardano402/mcp-server (npm) Jun 26, 2026
MorganOnCode Credited to MorganOnCode
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF High
GHSA-vgrc-hq28-p3xp was published for github.com/apernet/hysteria/core/v2 (Go) Jun 26, 2026
0xlally Credited to 0xlally
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http` High
CVE-2026-44161 was published for fluentd (RubyGems) Jun 26, 2026
everping Credited to everping
Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions. Moderate Unreviewed
CVE-2026-57627 was published Jun 26, 2026
Subscriber Server Side Request Forgery (SSRF) in utm.codes <= 1.9.0 versions. Moderate Unreviewed
CVE-2026-56026 was published Jun 26, 2026
Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise Critical
CVE-2026-55166 was published for lemur (pip) Jun 25, 2026
im-rootkid Credited to im-rootkid
Lemur: Crafted CRL/OCSP URLs in uploaded certificates lead to post-authentication SSRF Moderate
CVE-2026-55162 was published for lemur (pip) Jun 25, 2026
sour-exploit Credited to sour-exploit
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF) Moderate
CVE-2026-54514 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers (X... Moderate Unreviewed
CVE-2026-50221 was published Jun 23, 2026
ProTip! Advisories are also available from the GraphQL API