Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,533 advisories

Loading
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation High
CVE-2026-54353 was published for @budibase/backend-core (npm) Jun 22, 2026
Artex09 Credited to Artex09
Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata High
CVE-2026-48153 was published for @budibase/server (npm) Jun 22, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Gogs has SSRF in webhook deliveries Moderate
CVE-2026-47267 was published for gogs.io/gogs (Go) Jun 22, 2026
snyff Credited to snyff
Paymenter has Blind Unauthenticated SSRF on the Paypal gateway module Moderate
CVE-2026-44583 was published for paymenter/paymenter (Composer) Jun 22, 2026
boomerangBS Credited to boomerangBS and CorwinDev CorwinDev CorwinDev
OpenAM Authenticated Server-Side Request Forgery (SSRF) via `/sessionservice` Moderate
CVE-2026-44202 was published for org.openidentityplatform.openam:openam-core (Maven) Jun 22, 2026
OpenCTI has Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature High
CVE-2026-21887 was published for pycti (pip) Jun 22, 2026
DaffySpider Credited to DaffySpider and TristanInSec TristanInSec TristanInSec
SurrealDB: SSRF via JWKS URL — Redirect Following in JWT Key Fetch Moderate
GHSA-h5rg-8p7f-47g2 was published for surrealdb (Rust) Jun 19, 2026
Pig-Tail Credited to Pig-Tail
Lokka: Azure Resource Manager URL path validation issue High
GHSA-g2gw-q38m-vjfc was published for @merill/lokka (npm) Jun 19, 2026
hackchang Credited to hackchang
Zeep: Server-Side Request Forgery (SSRF) Moderate
GHSA-4cc2-g9w2-fhf6 was published for zeep (pip) Jun 19, 2026
SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read` High
GHSA-mrvx-jmjw-vggc was published for mcp-searxng (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab and useworld useworld useworld
Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms Moderate
CVE-2026-55187 was published for github.com/axllent/mailpit (Go) Jun 19, 2026
JLLeitschuh Credited to JLLeitschuh
Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF) High
GHSA-r46f-3rpw-hxrv was published for github.com/gohugoio/hugo (Go) Jun 19, 2026
vnth4nhnt Credited to vnth4nhnt
canto-saas-api: Authenticated API requests can be redirected via unencoded path variables Moderate
CVE-2026-55374 was published for jleehr/canto-saas-api (Composer) Jun 19, 2026
jleehr Credited to jleehr
Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints Moderate
CVE-2026-55591 was published for signalk-server (npm) Jun 18, 2026
anushkavirgaonkar Credited to anushkavirgaonkar
ProTip! Advisories are also available from the GraphQL API